Edit tour

Windows Analysis Report
Document.exe

Overview

General Information

Sample Name:	Document.exe
Analysis ID:	680351
MD5:	7ed91a8a05d340670440c48390aaba1c
SHA1:	370e2c4ed3a4ff0f6fc6bc6d634ad29d7690ae0a
SHA256:	7e525faf627cca0905153e9ab2d1308006466097a041395573e2ff31c58b69a7
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Document.exe (PID: 5756 cmdline: "C:\Users\user\Desktop\Document.exe" MD5: 7ED91A8A05D340670440C48390AABA1C)

Document.exe (PID: 5156 cmdline: C:\Users\user\Desktop\Document.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

Document.exe (PID: 4140 cmdline: C:\Users\user\Desktop\Document.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

Document.exe (PID: 5076 cmdline: C:\Users\user\Desktop\Document.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

Document.exe (PID: 6128 cmdline: C:\Users\user\Desktop\Document.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

InxbcD.exe (PID: 2136 cmdline: "C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe" MD5: 7ED91A8A05D340670440C48390AABA1C)

InxbcD.exe (PID: 4684 cmdline: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

InxbcD.exe (PID: 3396 cmdline: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

InxbcD.exe (PID: 5532 cmdline: "C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe" MD5: 7ED91A8A05D340670440C48390AABA1C)

InxbcD.exe (PID: 1656 cmdline: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe MD5: 7ED91A8A05D340670440C48390AABA1C)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "moni@seara-br.co", "Password": "eTLvLmQ0", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.286387486.000000000277A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.356439070.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x669f7:$a13: get_DnsResolver 0x9b017:$a13: get_DnsResolver 0xcf437:$a13: get_DnsResolver 0x65219:$a20: get_LastAccessed 0x99839:$a20: get_LastAccessed 0xcdc59:$a20: get_LastAccessed 0x673a1:$a27: set_InternalServerPort 0x9b9c1:$a27: set_InternalServerPort 0xcfde1:$a27: set_InternalServerPort 0x676ba:$a30: set_GuidMasterKey 0x9bcda:$a30: set_GuidMasterKey 0xd00fa:$a30: set_GuidMasterKey 0x65320:$a33: get_Clipboard 0x99940:$a33: get_Clipboard 0xcdd60:$a33: get_Clipboard 0x6532e:$a34: get_Keyboard 0x9994e:$a34: get_Keyboard 0xcdd6e:$a34: get_Keyboard 0x6662a:$a35: get_ShiftKeyDown 0x9ac4a:$a35: get_ShiftKeyDown 0xcf06a:$a35: get_ShiftKeyDown
00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2ffbf:$a13: get_DnsResolver 0x2e7e1:$a20: get_LastAccessed 0x30969:$a27: set_InternalServerPort 0x30c82:$a30: set_GuidMasterKey 0x2e8e8:$a33: get_Clipboard 0x2e8f6:$a34: get_Keyboard 0x2fbf2:$a35: get_ShiftKeyDown 0x2fc03:$a36: get_AltKeyDown 0x2e903:$a37: get_Password 0x2f3a2:$a38: get_PasswordHash 0x303d7:$a39: get_DefaultCredentials
00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.350967308.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Document.exe PID: 5756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Document.exe PID: 5756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Document.exe PID: 5756	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x305db:$a13: get_DnsResolver 0x2f05d:$a20: get_LastAccessed 0x30f34:$a27: set_InternalServerPort 0x31190:$a30: set_GuidMasterKey 0x2f150:$a33: get_Clipboard 0x2f15e:$a34: get_Keyboard 0x302ad:$a35: get_ShiftKeyDown 0x302be:$a36: get_AltKeyDown 0x2f16b:$a37: get_Password 0x2fb66:$a38: get_PasswordHash 0x309c7:$a39: get_DefaultCredentials
Process Memory Space: Document.exe PID: 6128	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Document.exe PID: 6128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Document.exe PID: 6128	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eed3:$a13: get_DnsResolver 0x2d955:$a20: get_LastAccessed 0x2f82c:$a27: set_InternalServerPort 0x2fa88:$a30: set_GuidMasterKey 0x2da48:$a33: get_Clipboard 0x2da56:$a34: get_Keyboard 0x2eba5:$a35: get_ShiftKeyDown 0x2ebb6:$a36: get_AltKeyDown 0x2da63:$a37: get_Password 0x2e45e:$a38: get_PasswordHash 0x2f2bf:$a39: get_DefaultCredentials
Process Memory Space: InxbcD.exe PID: 2136	webshell_jsp_generic_base64	Generic JSP webshell with base64 encoded payload	Arnim Rupp	0x287ac:$one1: SdW50aW1l 0x2f839:$one1: SdW50aW1l 0x2878e:$one2: J1bnRpbW 0x287ee:$one2: J1bnRpbW 0x28961:$one2: J1bnRpbW 0x2f81c:$one2: J1bnRpbW 0x2f878:$one2: J1bnRpbW 0x2f9d8:$one2: J1bnRpbW 0x29009:$one3: UnVudGltZ 0x3002a:$one3: UnVudGltZ 0x7c18:$two2: V4ZW 0x33449:$two2: V4ZW 0xe2fe:$cjsp_short1: <% 0x35926:$cjsp_short1: <% 0x3459a:$cjsp_short2: %> 0x348d9:$cjsp_short2: %> 0x35f9a:$cjsp_short2: %> 0x36641:$cjsp_short2: %> 0x3709a:$cjsp_short2: %> 0x37a30:$cjsp_short2: %> 0xe2fe:$cjsp_long6: <%
Process Memory Space: InxbcD.exe PID: 2136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InxbcD.exe PID: 3396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InxbcD.exe PID: 3396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InxbcD.exe PID: 1656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InxbcD.exe PID: 1656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Document.exe.3655e58.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3655e58.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3655e58.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30c9c:$s10: logins 0x30703:$s11: credential 0x2cce8:$g1: get_Clipboard 0x2ccf6:$g2: get_Keyboard 0x2cd03:$g3: get_Password 0x2dfe2:$g4: get_CtrlKeyDown 0x2dff2:$g5: get_ShiftKeyDown 0x2e003:$g6: get_AltKeyDown
0.2.Document.exe.3655e58.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e3bf:$a13: get_DnsResolver 0x2cbe1:$a20: get_LastAccessed 0x2ed69:$a27: set_InternalServerPort 0x2f082:$a30: set_GuidMasterKey 0x2cce8:$a33: get_Clipboard 0x2ccf6:$a34: get_Keyboard 0x2dff2:$a35: get_ShiftKeyDown 0x2e003:$a36: get_AltKeyDown 0x2cd03:$a37: get_Password 0x2d7a2:$a38: get_PasswordHash 0x2e7d7:$a39: get_DefaultCredentials
0.2.Document.exe.3621838.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3621838.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3621838.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30c9c:$s10: logins 0x30703:$s11: credential 0x2cce8:$g1: get_Clipboard 0x2ccf6:$g2: get_Keyboard 0x2cd03:$g3: get_Password 0x2dfe2:$g4: get_CtrlKeyDown 0x2dff2:$g5: get_ShiftKeyDown 0x2e003:$g6: get_AltKeyDown
0.2.Document.exe.3621838.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e3bf:$a13: get_DnsResolver 0x2cbe1:$a20: get_LastAccessed 0x2ed69:$a27: set_InternalServerPort 0x2f082:$a30: set_GuidMasterKey 0x2cce8:$a33: get_Clipboard 0x2ccf6:$a34: get_Keyboard 0x2dff2:$a35: get_ShiftKeyDown 0x2e003:$a36: get_AltKeyDown 0x2cd03:$a37: get_Password 0x2d7a2:$a38: get_PasswordHash 0x2e7d7:$a39: get_DefaultCredentials
8.0.Document.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Document.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Document.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a9c:$s10: logins 0x32503:$s11: credential 0x2eae8:$g1: get_Clipboard 0x2eaf6:$g2: get_Keyboard 0x2eb03:$g3: get_Password 0x2fde2:$g4: get_CtrlKeyDown 0x2fdf2:$g5: get_ShiftKeyDown 0x2fe03:$g6: get_AltKeyDown
8.0.Document.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x301bf:$a13: get_DnsResolver 0x2e9e1:$a20: get_LastAccessed 0x30b69:$a27: set_InternalServerPort 0x30e82:$a30: set_GuidMasterKey 0x2eae8:$a33: get_Clipboard 0x2eaf6:$a34: get_Keyboard 0x2fdf2:$a35: get_ShiftKeyDown 0x2fe03:$a36: get_AltKeyDown 0x2eb03:$a37: get_Password 0x2f5a2:$a38: get_PasswordHash 0x305d7:$a39: get_DefaultCredentials
0.2.Document.exe.3655e58.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3655e58.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3655e58.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a9c:$s10: logins 0x66ebc:$s10: logins 0x32503:$s11: credential 0x66923:$s11: credential 0x2eae8:$g1: get_Clipboard 0x62f08:$g1: get_Clipboard 0x2eaf6:$g2: get_Keyboard 0x62f16:$g2: get_Keyboard 0x2eb03:$g3: get_Password 0x62f23:$g3: get_Password 0x2fde2:$g4: get_CtrlKeyDown 0x64202:$g4: get_CtrlKeyDown 0x2fdf2:$g5: get_ShiftKeyDown 0x64212:$g5: get_ShiftKeyDown 0x2fe03:$g6: get_AltKeyDown 0x64223:$g6: get_AltKeyDown
0.2.Document.exe.3655e58.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa1957:$s1: file:/// 0x113977:$s1: file:/// 0xa1867:$s2: {11111-22222-10009-11112} 0x113887:$s2: {11111-22222-10009-11112} 0xa18e7:$s3: {11111-22222-50001-00000} 0x113907:$s3: {11111-22222-50001-00000} 0x9ebd7:$s4: get_Module 0x110bf7:$s4: get_Module 0x2f051:$s5: Reverse 0x63471:$s5: Reverse 0x9f050:$s5: Reverse 0x111070:$s5: Reverse 0x30f24:$s6: BlockCopy 0x65344:$s6: BlockCopy 0xa1029:$s6: BlockCopy 0x113049:$s6: BlockCopy 0x2f2f2:$s7: ReadByte 0x63712:$s7: ReadByte 0xa1969:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x113989:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.Document.exe.3655e58.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x301bf:$a13: get_DnsResolver 0x645df:$a13: get_DnsResolver 0x2e9e1:$a20: get_LastAccessed 0x62e01:$a20: get_LastAccessed 0x30b69:$a27: set_InternalServerPort 0x64f89:$a27: set_InternalServerPort 0x30e82:$a30: set_GuidMasterKey 0x652a2:$a30: set_GuidMasterKey 0x2eae8:$a33: get_Clipboard 0x62f08:$a33: get_Clipboard 0x2eaf6:$a34: get_Keyboard 0x62f16:$a34: get_Keyboard 0x2fdf2:$a35: get_ShiftKeyDown 0x64212:$a35: get_ShiftKeyDown 0x2fe03:$a36: get_AltKeyDown 0x64223:$a36: get_AltKeyDown 0x2eb03:$a37: get_Password 0x62f23:$a37: get_Password 0x2f5a2:$a38: get_PasswordHash 0x639c2:$a38: get_PasswordHash 0x305d7:$a39: get_DefaultCredentials
0.2.Document.exe.3621838.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3621838.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Document.exe.3621838.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a9c:$s10: logins 0x670bc:$s10: logins 0x9b4dc:$s10: logins 0x32503:$s11: credential 0x66b23:$s11: credential 0x9af43:$s11: credential 0x2eae8:$g1: get_Clipboard 0x63108:$g1: get_Clipboard 0x97528:$g1: get_Clipboard 0x2eaf6:$g2: get_Keyboard 0x63116:$g2: get_Keyboard 0x97536:$g2: get_Keyboard 0x2eb03:$g3: get_Password 0x63123:$g3: get_Password 0x97543:$g3: get_Password 0x2fde2:$g4: get_CtrlKeyDown 0x64402:$g4: get_CtrlKeyDown 0x98822:$g4: get_CtrlKeyDown 0x2fdf2:$g5: get_ShiftKeyDown 0x64412:$g5: get_ShiftKeyDown 0x98832:$g5: get_ShiftKeyDown
0.2.Document.exe.3621838.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd5f77:$s1: file:/// 0x147f97:$s1: file:/// 0xd5e87:$s2: {11111-22222-10009-11112} 0x147ea7:$s2: {11111-22222-10009-11112} 0xd5f07:$s3: {11111-22222-50001-00000} 0x147f27:$s3: {11111-22222-50001-00000} 0xd31f7:$s4: get_Module 0x145217:$s4: get_Module 0x2f051:$s5: Reverse 0x63671:$s5: Reverse 0x97a91:$s5: Reverse 0xd3670:$s5: Reverse 0x145690:$s5: Reverse 0x30f24:$s6: BlockCopy 0x65544:$s6: BlockCopy 0x99964:$s6: BlockCopy 0xd5649:$s6: BlockCopy 0x147669:$s6: BlockCopy 0x2f2f2:$s7: ReadByte 0x63912:$s7: ReadByte 0x97d32:$s7: ReadByte
0.2.Document.exe.3621838.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x301bf:$a13: get_DnsResolver 0x647df:$a13: get_DnsResolver 0x98bff:$a13: get_DnsResolver 0x2e9e1:$a20: get_LastAccessed 0x63001:$a20: get_LastAccessed 0x97421:$a20: get_LastAccessed 0x30b69:$a27: set_InternalServerPort 0x65189:$a27: set_InternalServerPort 0x995a9:$a27: set_InternalServerPort 0x30e82:$a30: set_GuidMasterKey 0x654a2:$a30: set_GuidMasterKey 0x998c2:$a30: set_GuidMasterKey 0x2eae8:$a33: get_Clipboard 0x63108:$a33: get_Clipboard 0x97528:$a33: get_Clipboard 0x2eaf6:$a34: get_Keyboard 0x63116:$a34: get_Keyboard 0x97536:$a34: get_Keyboard 0x2fdf2:$a35: get_ShiftKeyDown 0x64412:$a35: get_ShiftKeyDown 0x98832:$a35: get_ShiftKeyDown
0.2.Document.exe.35eb418.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Document.exe.35eb418.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Document.exe.35eb418.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68ebc:$s10: logins 0x9d4dc:$s10: logins 0xd18fc:$s10: logins 0x68923:$s11: credential 0x9cf43:$s11: credential 0xd1363:$s11: credential 0x64f08:$g1: get_Clipboard 0x99528:$g1: get_Clipboard 0xcd948:$g1: get_Clipboard 0x64f16:$g2: get_Keyboard 0x99536:$g2: get_Keyboard 0xcd956:$g2: get_Keyboard 0x64f23:$g3: get_Password 0x99543:$g3: get_Password 0xcd963:$g3: get_Password 0x66202:$g4: get_CtrlKeyDown 0x9a822:$g4: get_CtrlKeyDown 0xcec42:$g4: get_CtrlKeyDown 0x66212:$g5: get_ShiftKeyDown 0x9a832:$g5: get_ShiftKeyDown 0xcec52:$g5: get_ShiftKeyDown
0.2.Document.exe.35eb418.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10c397:$s1: file:/// 0x17e3b7:$s1: file:/// 0x10c2a7:$s2: {11111-22222-10009-11112} 0x17e2c7:$s2: {11111-22222-10009-11112} 0x10c327:$s3: {11111-22222-50001-00000} 0x17e347:$s3: {11111-22222-50001-00000} 0x109617:$s4: get_Module 0x17b637:$s4: get_Module 0x65471:$s5: Reverse 0x99a91:$s5: Reverse 0xcdeb1:$s5: Reverse 0x109a90:$s5: Reverse 0x17bab0:$s5: Reverse 0x67344:$s6: BlockCopy 0x9b964:$s6: BlockCopy 0xcfd84:$s6: BlockCopy 0x10ba69:$s6: BlockCopy 0x17da89:$s6: BlockCopy 0x65712:$s7: ReadByte 0x99d32:$s7: ReadByte 0xce152:$s7: ReadByte
0.2.Document.exe.35eb418.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x665df:$a13: get_DnsResolver 0x9abff:$a13: get_DnsResolver 0xcf01f:$a13: get_DnsResolver 0x64e01:$a20: get_LastAccessed 0x99421:$a20: get_LastAccessed 0xcd841:$a20: get_LastAccessed 0x66f89:$a27: set_InternalServerPort 0x9b5a9:$a27: set_InternalServerPort 0xcf9c9:$a27: set_InternalServerPort 0x672a2:$a30: set_GuidMasterKey 0x9b8c2:$a30: set_GuidMasterKey 0xcfce2:$a30: set_GuidMasterKey 0x64f08:$a33: get_Clipboard 0x99528:$a33: get_Clipboard 0xcd948:$a33: get_Clipboard 0x64f16:$a34: get_Keyboard 0x99536:$a34: get_Keyboard 0xcd956:$a34: get_Keyboard 0x66212:$a35: get_ShiftKeyDown 0x9a832:$a35: get_ShiftKeyDown 0xcec52:$a35: get_ShiftKeyDown
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Document.exe	Virustotal: Detection: 28%			Perma Link
Source: Document.exe	ReversingLabs: Detection: 17%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: Document.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

Joe Sandbox ML: detected

Source: 8.0.Document.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.Document.exe.3621838.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "moni@seara-br.co", "Password": "eTLvLmQ0", "Host": "us2.smtp.mailhostbox.com"}

Source: Document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Document.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.3:49780 -> 208.91.198.143:587

Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.3:49780 -> 208.91.198.143:587

Source: InxbcD.exe, 00000019.00000002.552920598.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0PYcqQo9t3HlEFYDO.org
Source: Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JaRAdc.com
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000003.434924430.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%appdata
Source: Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: Document.exe, 00000000.00000002.282769256.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Document.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Document.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document.exe

.NET source code contains very large array initializations

Source: 8.0.Document.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFCF6A7EFu002dE33Du002d41C2u002d9629u002d029E9E3D636Cu007d/u0031C7F1875u002dA384u002d4590u002dB87Fu002d2AF74FE81805.cs

Large array initialization: .cctor: array initializer size 11586

Source: Document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Document.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Document.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: InxbcD.exe PID: 2136, type: MEMORYSTR	Matched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d

Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_0082CD04
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_0082F0C0
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_0082F0D0
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06A641D0
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06A64F28
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06C95E20
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06C955EF
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06C955F8
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06C96F8B
Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06C96F90
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_0172D976
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_0172E16A
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_0172DA00
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AAF380
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AA6560
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AACBE4
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AA9148
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AAF6C8
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DBC58
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DC9B8
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063D0040
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063D2120
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_06C976A0
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_06C9C8F0
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_06C951C8
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_06C991E8

Source: Document.exe, 00000000.00000000.244793166.00000000000EC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDefaultInterfaceAttrib.exeB vs Document.exe
Source: Document.exe, 00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejRrTgBXmkjdDgcSwGGtWZglDX.exe4 vs Document.exe
Source: Document.exe, 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejRrTgBXmkjdDgcSwGGtWZglDX.exe4 vs Document.exe
Source: Document.exe, 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Document.exe
Source: Document.exe, 00000000.00000002.293047297.0000000006A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Document.exe
Source: Document.exe, 00000000.00000002.293486106.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs Document.exe
Source: Document.exe, 00000000.00000002.294316380.0000000006C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Document.exe
Source: Document.exe, 00000000.00000003.266214981.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Document.exe
Source: Document.exe, 00000000.00000002.282769256.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Document.exe
Source: Document.exe, 00000008.00000002.512171516.0000000001338000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Document.exe
Source: Document.exe, 00000008.00000003.285724716.0000000006851000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDefaultInterfaceAttrib.exeB vs Document.exe
Source: Document.exe, 00000008.00000000.280155479.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejRrTgBXmkjdDgcSwGGtWZglDX.exe4 vs Document.exe
Source: Document.exe	Binary or memory string: OriginalFilenameDefaultInterfaceAttrib.exeB vs Document.exe

Source: Document.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: InxbcD.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Document.exe	Virustotal: Detection: 28%
Source: Document.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\Document.exe

File read: C:\Users\user\Desktop\Document.exe

Jump to behavior

Source: Document.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Document.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Document.exe "C:\Users\user\Desktop\Document.exe"
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe "C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe "C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe"
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

Source: C:\Users\user\Desktop\Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Document.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Document.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/4@3/3

Source: Document.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: Document.exe, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Document.exe.20000.0.unpack, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: InxbcD.exe.8.dr, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.Document.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.Document.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\Document.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Document.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Document.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Document.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Document.exe, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Document.exe.20000.0.unpack, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: InxbcD.exe.8.dr, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\Document.exe	Code function: 0_2_06A6DF12 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AA50F0 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_01AA5540 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAE5E push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAE46 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAEBE push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAE8E push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAED6 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAECE push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAEC6 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAFB6 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAFAE push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAFA6 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAFC2 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAD62 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DADB6 push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DADAE push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DADFA push es; ret
Source: C:\Users\user\Desktop\Document.exe	Code function: 8_2_063DAB19 push es; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.787205536847968
Source: initial sample	Static PE information: section name: .text entropy: 7.787205536847968

Source: C:\Users\user\Desktop\Document.exe

File created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run InxbcD			Jump to behavior
Source: C:\Users\user\Desktop\Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run InxbcD			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Document.exe

File opened: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286387486.000000000277A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.356439070.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.350967308.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 2136, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Document.exe, 00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000000.00000002.286387486.000000000277A000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000012.00000002.356439070.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000012.00000002.350967308.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000015.00000002.376653194.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Document.exe, 00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000000.00000002.286387486.000000000277A000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000012.00000002.356439070.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000012.00000002.350967308.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000015.00000002.376653194.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Document.exe TID: 5780	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\Document.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Document.exe TID: 3768	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\Document.exe TID: 4208	Thread sleep count: 9658 > 30
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 5988	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 5508	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 3652	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 908	Thread sleep count: 9478 > 30
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe TID: 3672	Thread sleep count: 9395 > 30

Source: C:\Users\user\Desktop\Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Document.exe	Window / User API: threadDelayed 9658
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Window / User API: threadDelayed 9478
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Window / User API: threadDelayed 9395

Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Document.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Document.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Thread delayed: delay time: 922337203685477

Source: InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InxbcD.exe, 00000015.00000002.377424463.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Document.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Document.exe

Code function: 8_2_06C9F6D8 LdrInitializeThunk,

Source: C:\Users\user\Desktop\Document.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Document.exe	Memory written: C:\Users\user\Desktop\Document.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Memory written: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Memory written: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\Desktop\Document.exe	Process created: C:\Users\user\Desktop\Document.exe C:\Users\user\Desktop\Document.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Process created: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Users\user\Desktop\Document.exe VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Users\user\Desktop\Document.exe VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Document.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 1656, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\Document.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\Document.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Document.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 1656, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Document.exe.3655e58.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3621838.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3655e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.3621838.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.exe.35eb418.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Document.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InxbcD.exe PID: 1656, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Document.exe	28%	Virustotal	Browse
Document.exe	17%	ReversingLabs
Document.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	28%	Virustotal	Browse
C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe	17%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.Document.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://api.ipify.org%appdata	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://JaRAdc.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
http://0PYcqQo9t3HlEFYDO.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%appdata	InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.fontbureau.com/designers?	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://JaRAdc.com	InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0A	Document.exe, 00000008.00000002.568031255.0000000006872000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000008.00000002.551388083.000000000363F000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.520740305.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.550192268.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.522158378.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.523803830.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.572962420.0000000006680000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.553154806.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Document.exe, 00000000.00000002.290637100.0000000006562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	Document.exe, 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InxbcD.exe, 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://0PYcqQo9t3HlEFYDO.org	InxbcD.exe, 00000019.00000002.552920598.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.225	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680351
Start date and time: 08/08/202212:54:10	2022-08-08 12:54:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Document.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/4@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.213.164.66
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:55:23	API Interceptor	674x Sleep call for process: Document.exe modified
12:55:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run InxbcD C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
12:55:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run InxbcD C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
12:55:51	API Interceptor	698x Sleep call for process: InxbcD.exe modified

Process:	C:\Users\user\Desktop\Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InxbcD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

Download File

Process:	C:\Users\user\Desktop\Document.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	823808
Entropy (8bit):	7.781001148520893
Encrypted:	false
SSDEEP:	24576:FFxgV10lgTyhAvtvFhdTOZPe9IbUDHDl:pgVWUyhAvtvFhdTY7U
MD5:	7ED91A8A05D340670440C48390AABA1C
SHA1:	370E2C4ED3A4FF0F6FC6BC6D634AD29D7690AE0A
SHA-256:	7E525FAF627CCA0905153E9AB2D1308006466097A041395573E2FF31C58B69A7
SHA-512:	569077E17AC42E6BE529A7A22E45A8D947A1C5DFC62BAF172C59E81C40DCA99264DFC0CB7B257068A26C560EAE24C04A4F3E60357025413843820418F80280EE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 28%, Browse Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..b..............0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........S..(U...........................................................0..k..............%.r...p.%.r[..p.%.ri..p.}......}.....(.......(......{.....o......{.....o.....~....t.....{....(....&&..(........0.................{....o.....o.....sL.....o.....o....o....(.........oD.....o........9......{....o ...o!.....{....o"....o#...r...p.o$...oU...o%....M...(&...o'.......8......o$...oU.....o(...o)...s.....o.....o$...oU.....o(...o+...o,...o-...&.o.....o$...oU.....o(...o+...o....o-

C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.781001148520893
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Document.exe
File size:	823808
MD5:	7ed91a8a05d340670440c48390aaba1c
SHA1:	370e2c4ed3a4ff0f6fc6bc6d634ad29d7690ae0a
SHA256:	7e525faf627cca0905153e9ab2d1308006466097a041395573e2ff31c58b69a7
SHA512:	569077e17ac42e6be529a7a22e45a8d947a1c5dfc62baf172c59e81c40dca99264dfc0cb7b257068a26c560eae24c04a4f3e60357025413843820418f80280ee
SSDEEP:	24576:FFxgV10lgTyhAvtvFhdTOZPe9IbUDHDl:pgVWUyhAvtvFhdTY7U
TLSH:	BE05BE5BBF147708C5A36AB4EE0BB96267F61C5D3135E0B83E547C4A4AFF301E52242A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..b..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ca9f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F0BB22 [Mon Aug 8 07:28:34 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca9a0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x3d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc89f8	0xc8a00	False	0.8177667445482866	data	7.787205536847968	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x3d0	0x400	False	0.3837890625	data	3.0440429899176986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xcc058	0x374	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:55:46.548738956 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:46.716939926 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:46.717205048 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:50.893640995 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:50.893995047 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.061827898 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.062006950 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.062292099 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.230369091 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.275805950 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.444633007 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.444693089 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.444734097 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.444762945 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.444789886 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.444809914 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.448621988 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.543545008 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.614767075 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:51.657484055 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:51.826605082 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.043581963 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.085932970 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.254144907 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.255610943 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.426814079 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.430459023 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.603749990 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.604528904 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.773387909 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.773827076 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:52.965123892 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:52.976968050 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:53.145898104 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:53.147037029 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:53.147173882 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:53.147833109 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:53.147933006 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:55:53.314980030 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:53.317739964 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:53.440301895 CEST	587	49744	208.91.199.225	192.168.2.3
Aug 8, 2022 12:55:53.637490988 CEST	49744	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:34.683269024 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:34.849540949 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:34.851684093 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:35.456537008 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:35.547338009 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:35.593027115 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:35.759546995 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:35.759733915 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:35.844222069 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:35.846904993 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.013546944 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.234888077 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.406636953 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.572982073 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.573018074 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.573040962 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.573056936 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.573084116 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.573133945 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.575385094 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.735094070 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:36.741107941 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:36.844441891 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:37.074443102 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:37.241643906 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:37.344326973 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:39.497345924 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:39.664825916 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:39.665436983 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:39.835731030 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:39.836378098 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.006812096 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.007275105 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.175622940 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.178391933 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.369616032 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.370012045 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.537209034 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.538456917 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.538657904 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.538769960 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.538887978 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:40.704484940 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.706026077 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:40.835095882 CEST	587	49777	208.91.199.225	192.168.2.3
Aug 8, 2022 12:56:41.047856092 CEST	49777	587	192.168.2.3	208.91.199.225
Aug 8, 2022 12:56:49.444216013 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:49.610522032 CEST	587	49780	208.91.198.143	192.168.2.3
Aug 8, 2022 12:56:49.612788916 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:50.155709028 CEST	587	49780	208.91.198.143	192.168.2.3
Aug 8, 2022 12:56:50.156405926 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:50.322803974 CEST	587	49780	208.91.198.143	192.168.2.3
Aug 8, 2022 12:56:50.322856903 CEST	587	49780	208.91.198.143	192.168.2.3
Aug 8, 2022 12:56:50.323129892 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:50.490689039 CEST	587	49780	208.91.198.143	192.168.2.3
Aug 8, 2022 12:56:50.548585892 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:50.574191093 CEST	49780	587	192.168.2.3	208.91.198.143
Aug 8, 2022 12:56:50.740653038 CEST	587	49780	208.91.198.143	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:55:46.484108925 CEST	57723	53	192.168.2.3	8.8.8.8
Aug 8, 2022 12:55:46.509882927 CEST	53	57723	8.8.8.8	192.168.2.3
Aug 8, 2022 12:56:34.583363056 CEST	58625	53	192.168.2.3	8.8.8.8
Aug 8, 2022 12:56:34.602864981 CEST	53	58625	8.8.8.8	192.168.2.3
Aug 8, 2022 12:56:49.363284111 CEST	50778	53	192.168.2.3	8.8.8.8
Aug 8, 2022 12:56:49.385094881 CEST	53	50778	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 12:55:46.484108925 CEST	192.168.2.3	8.8.8.8	0xafa7	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:34.583363056 CEST	192.168.2.3	8.8.8.8	0xe8be	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:49.363284111 CEST	192.168.2.3	8.8.8.8	0xa9b6	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 8, 2022 12:55:46.509882927 CEST	8.8.8.8	192.168.2.3	0xafa7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Aug 8, 2022 12:55:46.509882927 CEST	8.8.8.8	192.168.2.3	0xafa7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Aug 8, 2022 12:55:46.509882927 CEST	8.8.8.8	192.168.2.3	0xafa7	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Aug 8, 2022 12:55:46.509882927 CEST	8.8.8.8	192.168.2.3	0xafa7	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:34.602864981 CEST	8.8.8.8	192.168.2.3	0xe8be	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:34.602864981 CEST	8.8.8.8	192.168.2.3	0xe8be	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:34.602864981 CEST	8.8.8.8	192.168.2.3	0xe8be	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:34.602864981 CEST	8.8.8.8	192.168.2.3	0xe8be	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:49.385094881 CEST	8.8.8.8	192.168.2.3	0xa9b6	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:49.385094881 CEST	8.8.8.8	192.168.2.3	0xa9b6	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:49.385094881 CEST	8.8.8.8	192.168.2.3	0xa9b6	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Aug 8, 2022 12:56:49.385094881 CEST	8.8.8.8	192.168.2.3	0xa9b6	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 12:55:50.893640995 CEST	587	49744	208.91.199.225	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Aug 8, 2022 12:55:50.893995047 CEST	49744	587	192.168.2.3	208.91.199.225	EHLO 035347
Aug 8, 2022 12:55:51.062006950 CEST	587	49744	208.91.199.225	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Aug 8, 2022 12:55:51.062292099 CEST	49744	587	192.168.2.3	208.91.199.225	STARTTLS
Aug 8, 2022 12:55:51.230369091 CEST	587	49744	208.91.199.225	192.168.2.3	220 2.0.0 Ready to start TLS
Aug 8, 2022 12:56:35.456537008 CEST	587	49777	208.91.199.225	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Aug 8, 2022 12:56:35.593027115 CEST	49777	587	192.168.2.3	208.91.199.225	EHLO 035347
Aug 8, 2022 12:56:35.759733915 CEST	587	49777	208.91.199.225	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Aug 8, 2022 12:56:35.846904993 CEST	49777	587	192.168.2.3	208.91.199.225	STARTTLS
Aug 8, 2022 12:56:36.013546944 CEST	587	49777	208.91.199.225	192.168.2.3	220 2.0.0 Ready to start TLS
Aug 8, 2022 12:56:50.155709028 CEST	587	49780	208.91.198.143	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Aug 8, 2022 12:56:50.156405926 CEST	49780	587	192.168.2.3	208.91.198.143	EHLO 035347
Aug 8, 2022 12:56:50.322856903 CEST	587	49780	208.91.198.143	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Aug 8, 2022 12:56:50.323129892 CEST	49780	587	192.168.2.3	208.91.198.143	STARTTLS
Aug 8, 2022 12:56:50.490689039 CEST	587	49780	208.91.198.143	192.168.2.3	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	12:55:11
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Document.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document.exe"
Imagebase:	0x20000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284409305.0000000002533000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286387486.000000000277A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.287031983.00000000035EB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: Document.exePID: 5156, Parent PID: 5756

General

Target ID:	4
Start time:	12:55:25
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Document.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Document.exe
Imagebase:	0xc0000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Document.exePID: 4140, Parent PID: 5756

General

Target ID:	5
Start time:	12:55:25
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Document.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Document.exe
Imagebase:	0x50000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Document.exePID: 5076, Parent PID: 5756

General

Target ID:	6
Start time:	12:55:26
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Document.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Document.exe
Imagebase:	0x3a0000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Document.exePID: 6128, Parent PID: 5756

General

Target ID:	8
Start time:	12:55:27
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Document.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Document.exe
Imagebase:	0xeb0000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000008.00000000.279787688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.527070208.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: InxbcD.exePID: 2136, Parent PID: 3968

General

Target ID:	18
Start time:	12:55:43
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe"
Imagebase:	0x760000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.356439070.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.350967308.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, Virustotal, Browse Detection: 17%, ReversingLabs
Reputation:	low

Analysis Process: InxbcD.exePID: 5532, Parent PID: 3968

General

Target ID:	21
Start time:	12:55:52
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe"
Imagebase:	0x6e0000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: InxbcD.exePID: 4684, Parent PID: 2136

General

Target ID:	22
Start time:	12:55:54
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Imagebase:	0x250000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: InxbcD.exePID: 3396, Parent PID: 2136

General

Target ID:	24
Start time:	12:55:55
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Imagebase:	0x7ff73c930000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.524941648.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: InxbcD.exePID: 1656, Parent PID: 5532

General

Target ID:	25
Start time:	12:56:09
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe
Imagebase:	0x520000
File size:	823808 bytes
MD5 hash:	7ED91A8A05D340670440C48390AABA1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.529474477.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Document.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InxbcD.exe.log

C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe

C:\Users\user\AppData\Roaming\InxbcD\InxbcD.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
Document.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre