Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WLmNdxIHr3

Overview

General Information

Sample Name:WLmNdxIHr3 (renamed file extension from none to exe)
Analysis ID:679200
MD5:ba7863b67930a109864139efe3da478e
SHA1:0a90df33ba078ba54576906d6072a11b8dca5356
SHA256:5cc3602f45772a86c0548e965ce7e57809e2e00ac5f5f100006da37bb79c77cb
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WLmNdxIHr3.exe (PID: 3360 cmdline: "C:\Users\user\Desktop\WLmNdxIHr3.exe" MD5: BA7863B67930A109864139EFE3DA478E)
    • WLmNdxIHr3.exe (PID: 3448 cmdline: C:\Users\user\Desktop\WLmNdxIHr3.exe MD5: BA7863B67930A109864139EFE3DA478E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": "  Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WLmNdxIHr3.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
          • 0x69f4e:$a13: get_DnsResolver
          • 0x9e56e:$a13: get_DnsResolver
          • 0xd298e:$a13: get_DnsResolver
          • 0x6873a:$a20: get_LastAccessed
          • 0x9cd5a:$a20: get_LastAccessed
          • 0xd117a:$a20: get_LastAccessed
          • 0x6a8cc:$a27: set_InternalServerPort
          • 0x9eeec:$a27: set_InternalServerPort
          • 0xd330c:$a27: set_InternalServerPort
          • 0x6abe5:$a30: set_GuidMasterKey
          • 0x9f205:$a30: set_GuidMasterKey
          • 0xd3625:$a30: set_GuidMasterKey
          • 0x68856:$a33: get_Clipboard
          • 0x9ce76:$a33: get_Clipboard
          • 0xd1296:$a33: get_Clipboard
          • 0x68864:$a34: get_Keyboard
          • 0x9ce84:$a34: get_Keyboard
          • 0xd12a4:$a34: get_Keyboard
          • 0x69b81:$a35: get_ShiftKeyDown
          • 0x9e1a1:$a35: get_ShiftKeyDown
          • 0xd25c1:$a35: get_ShiftKeyDown
          00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b11:$s10: logins
                • 0x66f31:$s10: logins
                • 0x32578:$s11: credential
                • 0x66998:$s11: credential
                • 0x2eb66:$g1: get_Clipboard
                • 0x62f86:$g1: get_Clipboard
                • 0x2eb74:$g2: get_Keyboard
                • 0x62f94:$g2: get_Keyboard
                • 0x2eb81:$g3: get_Password
                • 0x62fa1:$g3: get_Password
                • 0x2fe81:$g4: get_CtrlKeyDown
                • 0x642a1:$g4: get_CtrlKeyDown
                • 0x2fe91:$g5: get_ShiftKeyDown
                • 0x642b1:$g5: get_ShiftKeyDown
                • 0x2fea2:$g6: get_AltKeyDown
                • 0x642c2:$g6: get_AltKeyDown
                0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x3025e:$a13: get_DnsResolver
                • 0x6467e:$a13: get_DnsResolver
                • 0x2ea4a:$a20: get_LastAccessed
                • 0x62e6a:$a20: get_LastAccessed
                • 0x30bdc:$a27: set_InternalServerPort
                • 0x64ffc:$a27: set_InternalServerPort
                • 0x30ef5:$a30: set_GuidMasterKey
                • 0x65315:$a30: set_GuidMasterKey
                • 0x2eb66:$a33: get_Clipboard
                • 0x62f86:$a33: get_Clipboard
                • 0x2eb74:$a34: get_Keyboard
                • 0x62f94:$a34: get_Keyboard
                • 0x2fe91:$a35: get_ShiftKeyDown
                • 0x642b1:$a35: get_ShiftKeyDown
                • 0x2fea2:$a36: get_AltKeyDown
                • 0x642c2:$a36: get_AltKeyDown
                • 0x2eb81:$a37: get_Password
                • 0x62fa1:$a37: get_Password
                • 0x2f62b:$a38: get_PasswordHash
                • 0x63a4b:$a38: get_PasswordHash
                • 0x3065e:$a39: get_DefaultCredentials
                0.2.WLmNdxIHr3.exe.4ee5310.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 20 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: WLmNdxIHr3.exeVirustotal: Detection: 57%Perma Link
                  Source: WLmNdxIHr3.exeMetadefender: Detection: 34%Perma Link
                  Source: WLmNdxIHr3.exeReversingLabs: Detection: 76%
                  Antivirus / Scanner detection for submitted sample
                  Source: WLmNdxIHr3.exeAvira: detected
                  Machine Learning detection for sample
                  Source: WLmNdxIHr3.exeJoe Sandbox ML: detected
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": " Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}
                  Source: WLmNdxIHr3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: WLmNdxIHr3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: WLmNdxIHr3.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                  Source: global trafficTCP traffic: 192.168.2.7:49785 -> 208.91.199.223:587
                  Source: global trafficTCP traffic: 192.168.2.7:49785 -> 208.91.199.223:587
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://bit.ly/unCoIY
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://bladecoding.com/lolnotes/leagueofstats.php?name=
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://roTszh.com
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://www.lolking.net/summoner/
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640531921.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://JUpEVaHhlws.net
                  Source: WLmNdxIHr3.exeString found in binary or memory: https://github.com/high6/LoLNotes
                  Source: WLmNdxIHr3.exeString found in binary or memory: https://raw.github.com/bladecoding/LoLNotes/master/General.txtO
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1D26C42Fu002dD2D6u002d4793u002dA2FBu002dB9044BDA64D3u007d/u00377984E54u002dFB32u002d4CE2u002d814Eu002d6FDA27C58041.csLarge array initialization: .cctor: array initializer size 11608
                  Source: WLmNdxIHr3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5F3C8
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5F080
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5AD20
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6C460
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6B710
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6F1B8
                  Source: WLmNdxIHr3.exe, 00000000.00000002.415491210.0000000003291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.416464913.0000000003362000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.439346869.0000000007906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.419515800.0000000004A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000000.366744324.0000000000EA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTimerCallb.exe2 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.441150858.000000000BE80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000004.00000002.635155694.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000004.00000000.408725677.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exeBinary or memory string: OriginalFilenameTimerCallb.exe2 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: WLmNdxIHr3.exeVirustotal: Detection: 57%
                  Source: WLmNdxIHr3.exeMetadefender: Detection: 34%
                  Source: WLmNdxIHr3.exeReversingLabs: Detection: 76%
                  Source: WLmNdxIHr3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe "C:\Users\user\Desktop\WLmNdxIHr3.exe"
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exe
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exe
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WLmNdxIHr3.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: WLmNdxIHr3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: WLmNdxIHr3.exe, LoLNotes/Gui/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Gui/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: WLmNdxIHr3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: WLmNdxIHr3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.793379716498792
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 3180Thread sleep time: -45877s >= -30000s
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 4212Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 2892Thread sleep count: 9741 > 30
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWindow / User API: threadDelayed 9741
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 45877
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 922337203685477
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/ProcessMemory.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/ProcessMemory.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeMemory written: C:\Users\user\Desktop\WLmNdxIHr3.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exe
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Users\user\Desktop\WLmNdxIHr3.exe VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Users\user\Desktop\WLmNdxIHr3.exe VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Credentials in Registry                  		211
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration1
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS131
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureScheduled Transfer11
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  Remote System Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Software Packing                  		DCSync114
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  WLmNdxIHr3.exe57%VirustotalBrowse
                  WLmNdxIHr3.exe34%MetadefenderBrowse
                  WLmNdxIHr3.exe77%ReversingLabsWin32.Trojan.Leonem
                  WLmNdxIHr3.exe100%AviraTR/AD.AgentTesla.rlukc
                  WLmNdxIHr3.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.0.WLmNdxIHr3.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://bladecoding.com/lolnotes/leagueofstats.php?name=0%Avira URL Cloudsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://roTszh.com0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://JUpEVaHhlws.net0%Avira URL Cloudsafe
                  http://ocsp.sectigo.com0A0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  us2.smtp.mailhostbox.com
                  		208.91.199.223
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://127.0.0.1:HTTP/1.1WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://bladecoding.com/lolnotes/leagueofstats.php?name=WLmNdxIHr3.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://sectigo.com/CPS0WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comWLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.lolking.net/summoner/WLmNdxIHr3.exefalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://bit.ly/unCoIYWLmNdxIHr3.exefalse
                                    		high
                                    http://www.tiro.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://raw.github.com/bladecoding/LoLNotes/master/General.txtOWLmNdxIHr3.exefalse
                                      		high
                                      http://www.fontbureau.com/designersWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/high6/LoLNotesWLmNdxIHr3.exefalse
                                          		high
                                          http://www.typography.netDWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://roTszh.comWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://JUpEVaHhlws.netWLmNdxIHr3.exe, 00000004.00000002.640531921.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.sectigo.com0AWLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sakkal.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.199.223
                                                  		us2.smtp.mailhostbox.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                  General Information

                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:679200
                                                  Start date and time: 05/08/202211:57:092022-08-05 11:57:09 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 10m 48s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:WLmNdxIHr3 (renamed file extension from none to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:20
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  11:58:55API Interceptor657x Sleep call for process: WLmNdxIHr3.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WLmNdxIHr3.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1308
                                                  Entropy (8bit):5.345811588615766
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.784555726017543
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:WLmNdxIHr3.exe
                                                  File size:797696
                                                  MD5:ba7863b67930a109864139efe3da478e
                                                  SHA1:0a90df33ba078ba54576906d6072a11b8dca5356
                                                  SHA256:5cc3602f45772a86c0548e965ce7e57809e2e00ac5f5f100006da37bb79c77cb
                                                  SHA512:3cabfffd95d1151b04240caa2bf200c9a53cc3899f85927e3259f53805e2544dcdc4249b855bc4ffb245c1131d30ea48be52392928623ec1d0d4bb654212cc63
                                                  SSDEEP:12288:zbv7n02b2UVFdPBGjy1AuFWBVeS5f/QBK7CNhvk0R4pRmCDqHVVAx67WeyqLvLqh:3Gjy1AuBS5c+Y7ipRmb13W4LzEkM
                                                  TLSH:5105F12503BCCB4AE9BF47F9F4245581477AA203A54BE74D9F80E0CE3EA37A0D5152A7
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.b..............0...... .......(... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:686868e882e479b2

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4c28da
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x62E02AA7 [Tue Jul 26 17:55:51 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  mov edi, edi
                                                  push ebp
                                                  mov ebp, esp
                                                  add byte ptr [eax], al
                                                  add byte ptr [ebp-75h], dl
                                                  in al, dx
                                                  pushad
                                                  mov eax, dword ptr [ebp+0Ch]
                                                  cmp word ptr [eax], 0002h
                                                  jne 00007FAAAD47EF24h
                                                  mov ecx, 00003308h
                                                  cmp word ptr [eax+02h], cx
                                                  jne 00007FAAAD47EF19h
                                                  mov dword ptr [eax+04h], 0100007Fh
                                                  popad
                                                  jmp 00007FAAAD47EF15h
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc28880x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x1ca4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xc09100xc0a00False0.86008349894549data7.793379716498792IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xc40000x1ca40x1e00False0.65078125data6.816247600191881IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xc60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0xc41000xf94PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                  RT_GROUP_ICON0xc50a40x14data
                                                  RT_VERSION0xc50c80x324data
                                                  RT_MANIFEST0xc53fc0x8a3XML 1.0 document, UTF-8 Unicode (with BOM) text

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 5, 2022 11:59:19.720238924 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:19.890372038 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:19.890538931 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:23.267518044 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.267951012 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:23.438301086 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.438460112 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.438792944 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:23.609215975 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.659852982 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:23.831017971 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.831059933 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.831079960 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.831099033 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.831321955 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:23.834280968 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:23.834434986 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.004659891 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:24.004803896 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.039912939 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.210659027 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:24.258789062 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.350205898 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.520832062 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:24.522891998 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.696552038 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:24.697578907 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:24.875669003 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:24.877111912 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.049618959 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.050239086 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.260646105 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.263529062 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.264116049 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.435524940 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.436611891 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.438678026 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.438939095 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.439802885 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.440084934 CEST49785587192.168.2.7208.91.199.223
                                                  Aug 5, 2022 11:59:25.609061003 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.610270977 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.748856068 CEST58749785208.91.199.223192.168.2.7
                                                  Aug 5, 2022 11:59:25.839360952 CEST49785587192.168.2.7208.91.199.223

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 5, 2022 11:59:19.661211014 CEST6461853192.168.2.78.8.8.8
                                                  Aug 5, 2022 11:59:19.683432102 CEST53646188.8.8.8192.168.2.7

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Aug 5, 2022 11:59:19.661211014 CEST192.168.2.78.8.8.80x9bdbStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                  Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                  Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                  Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Aug 5, 2022 11:59:23.267518044 CEST58749785208.91.199.223192.168.2.7220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Aug 5, 2022 11:59:23.267951012 CEST49785587192.168.2.7208.91.199.223EHLO 124406
                                                  Aug 5, 2022 11:59:23.438460112 CEST58749785208.91.199.223192.168.2.7250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Aug 5, 2022 11:59:23.438792944 CEST49785587192.168.2.7208.91.199.223STARTTLS
                                                  Aug 5, 2022 11:59:23.609215975 CEST58749785208.91.199.223192.168.2.7220 2.0.0 Ready to start TLS

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:11:58:39
                                                  Start date:05/08/2022
                                                  Path:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\WLmNdxIHr3.exe"
                                                  Imagebase:0xde0000
                                                  File size:797696 bytes
                                                  MD5 hash:BA7863B67930A109864139EFE3DA478E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:4
                                                  Start time:11:58:58
                                                  Start date:05/08/2022
                                                  Path:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                  Imagebase:0x830000
                                                  File size:797696 bytes
                                                  MD5 hash:BA7863B67930A109864139EFE3DA478E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  No disassembly