Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Technical information zip.exe

Overview

General Information

Sample Name:Technical information zip.exe
Analysis ID:680483
MD5:ca033c84f5a37105d613c6961b724e97
SHA1:23f023abfef70de9ee2c909fbef985254b2abe26
SHA256:bfcb8ee096a65d7ec9201b67df585a7e715aaaa0aa2dcfec2e6ff208b3559498
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@cabletraychina.com", "Password": "Jhdq2017#", "Host": "mail.cabletraychina.com"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Technical information zip.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x69c26:$a3: MailAccountConfiguration
        • 0x9fe46:$a3: MailAccountConfiguration
        • 0xd5e66:$a3: MailAccountConfiguration
        • 0x69c3f:$a5: SmtpAccountConfiguration
        • 0x9fe5f:$a5: SmtpAccountConfiguration
        • 0xd5e7f:$a5: SmtpAccountConfiguration
        • 0x69c06:$a8: set_BindingAccountConfiguration
        • 0x9fe26:$a8: set_BindingAccountConfiguration
        • 0xd5e46:$a8: set_BindingAccountConfiguration
        • 0x68b66:$a11: get_securityProfile
        • 0x9ed86:$a11: get_securityProfile
        • 0xd4da6:$a11: get_securityProfile
        • 0x68a07:$a12: get_useSeparateFolderTree
        • 0x9ec27:$a12: get_useSeparateFolderTree
        • 0xd4c47:$a12: get_useSeparateFolderTree
        • 0x6a369:$a13: get_DnsResolver
        • 0xa0589:$a13: get_DnsResolver
        • 0xd65a9:$a13: get_DnsResolver
        • 0x68e16:$a14: get_archivingScope
        • 0x9f036:$a14: get_archivingScope
        • 0xd5056:$a14: get_archivingScope
        00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Technical information zip.exe.4493998.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Technical information zip.exe.4493998.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Technical information zip.exe.4493998.7.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2ef49:$s1: get_kbok
                • 0x2f87d:$s2: get_CHoo
                • 0x304d8:$s3: set_passwordIsSet
                • 0x2ed4d:$s4: get_enableLog
                • 0x333f7:$s8: torbrowser
                • 0x31dd3:$s10: logins
                • 0x3174b:$s11: credential
                • 0x2e133:$g1: get_Clipboard
                • 0x2e141:$g2: get_Keyboard
                • 0x2e14e:$g3: get_Password
                • 0x2f72b:$g4: get_CtrlKeyDown
                • 0x2f73b:$g5: get_ShiftKeyDown
                • 0x2f74c:$g6: get_AltKeyDown
                0.2.Technical information zip.exe.4493998.7.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x2f48e:$a3: MailAccountConfiguration
                • 0x2f4a7:$a5: SmtpAccountConfiguration
                • 0x2f46e:$a8: set_BindingAccountConfiguration
                • 0x2e3ce:$a11: get_securityProfile
                • 0x2e26f:$a12: get_useSeparateFolderTree
                • 0x2fbd1:$a13: get_DnsResolver
                • 0x2e67e:$a14: get_archivingScope
                • 0x2e4a6:$a15: get_providerName
                • 0x30bbc:$a17: get_priority
                • 0x30190:$a18: get_advancedParameters
                • 0x2f5a8:$a19: get_disabledByRestriction
                • 0x2e045:$a20: get_LastAccessed
                • 0x2e718:$a21: get_avatarType
                • 0x302a7:$a22: get_signaturePresets
                • 0x2ed4d:$a23: get_enableLog
                • 0x2e523:$a26: set_accountName
                • 0x306f2:$a27: set_InternalServerPort
                • 0x2d984:$a28: set_bindingConfigurationUID
                • 0x3026d:$a29: set_IdnAddress
                • 0x30a70:$a30: set_GuidMasterKey
                • 0x2e57e:$a31: set_username
                0.2.Technical information zip.exe.44c9bb8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.4162.215.255.143497805872840032 08/08/22-17:23:56.548969
                  SID:2840032
                  Source Port:49780
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4162.215.255.143497805872839723 08/08/22-17:23:56.548892
                  SID:2839723
                  Source Port:49780
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4162.215.255.143497805872851779 08/08/22-17:23:56.548969
                  SID:2851779
                  Source Port:49780
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4162.215.255.143497805872030171 08/08/22-17:23:56.548892
                  SID:2030171
                  Source Port:49780
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results
                  Source: 6.0.Technical information zip.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.Technical information zip.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@cabletraychina.com", "Password": "Jhdq2017#", "Host": "mail.cabletraychina.com"}
                  Source: Technical information zip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Technical information zip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49780 -> 162.215.255.143:587
                  Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49780 -> 162.215.255.143:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49780 -> 162.215.255.143:587
                  Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49780 -> 162.215.255.143:587
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: Technical information zip.exe, type: SAMPLE
                  Source: Yara matchFile source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.Technical information zip.exe.ee0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE
                  Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://YXbeSX.com
                  Source: Technical information zip.exeString found in binary or memory: http://boards.4chan.org/b/
                  Source: Technical information zip.exeString found in binary or memory: http://boards.4chan.org3Retrieving
                  Source: Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cabletraychina.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Technical information zip.exeString found in binary or memory: http://images.4chan.org/
                  Source: Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cabletraychina.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Technical information zip.exe, 00000006.00000002.535012857.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534899990.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534929052.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://GQ0wtPGdRTxOSCfi6tDx.net
                  Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: unknownDNS traffic detected: queries for: mail.cabletraychina.com
                  Source: Technical information zip.exe, 00000000.00000002.298204334.0000000001748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bAD45BFCAu002dFFC7u002d4A3Bu002dA103u002d50B83C31D5E4u007d/u00329B1881Bu002d2231u002d45D6u002dAF5Du002d402FCB22D10F.csLarge array initialization: .cctor: array initializer size 11940
                  Source: Technical information zip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\Technical information zip.exeCode function: 0_2_05793DC4
                  Source: C:\Users\user\Desktop\Technical information zip.exeCode function: 0_2_05798458
                  Source: C:\Users\user\Desktop\Technical information zip.exeCode function: 6_2_031246A0
                  Source: C:\Users\user\Desktop\Technical information zip.exeCode function: 6_2_03124690
                  Source: C:\Users\user\Desktop\Technical information zip.exeCode function: 6_2_0312DA00
                  Source: Technical information zip.exe, 00000000.00000002.311102033.0000000007A80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000003.276120039.00000000078E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.300920210.0000000003413000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000000.252119494.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSharedL.exe: vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.311262906.0000000007AB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.298204334.0000000001748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.311693868.0000000007C50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
                  Source: Technical information zip.exe, 00000006.00000000.294305896.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
                  Source: Technical information zip.exeBinary or memory string: OriginalFilenameSharedL.exe: vs Technical information zip.exe
                  Source: Technical information zip.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Technical information zip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Technical information zip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Technical information zip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\Technical information zip.exe "C:\Users\user\Desktop\Technical information zip.exe"
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe
                  Source: C:\Users\user\Desktop\Technical information zip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\Technical information zip.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Technical information zip.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical information zip.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/0
                  Source: Technical information zip.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Technical information zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Technical information zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                  Source: Technical information zip.exe, Scraper/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                  Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                  Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.Technical information zip.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\Technical information zip.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: Technical information zip.exeStatic file information: File size 1343488 > 1048576
                  Source: Technical information zip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Technical information zip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: Technical information zip.exe, Scraper/frmMain.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/frmMain.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.613311750792489
                  Source: C:\Users\user\Desktop\Technical information zip.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Technical information zip.exe, 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: Technical information zip.exe, 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Technical information zip.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Technical information zip.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\Technical information zip.exe TID: 1400Thread sleep time: -45877s >= -30000s
                  Source: C:\Users\user\Desktop\Technical information zip.exe TID: 5596Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\Technical information zip.exe TID: 4776Thread sleep time: -15679732462653109s >= -30000s
                  Source: C:\Users\user\Desktop\Technical information zip.exe TID: 6072Thread sleep count: 9844 > 30
                  Source: C:\Users\user\Desktop\Technical information zip.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Technical information zip.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Technical information zip.exeWindow / User API: threadDelayed 9844
                  Source: C:\Users\user\Desktop\Technical information zip.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeThread delayed: delay time: 45877
                  Source: C:\Users\user\Desktop\Technical information zip.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Technical information zip.exeThread delayed: delay time: 922337203685477
                  Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Technical information zip.exe, 00000006.00000002.525531534.00000000015C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Technical information zip.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Technical information zip.exeMemory written: C:\Users\user\Desktop\Technical information zip.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\Technical information zip.exeProcess created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Users\user\Desktop\Technical information zip.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Users\user\Desktop\Technical information zip.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Technical information zip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\Technical information zip.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Technical information zip.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: Yara matchFile source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		211
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS131
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information                  		Cached Domain Credentials113
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Technical information zip.exe10%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  6.0.Technical information zip.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  https://GQ0wtPGdRTxOSCfi6tDx.net0%Avira URL Cloudsafe
                  http://cabletraychina.com0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://YXbeSX.com0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://boards.4chan.org3Retrieving0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://mail.cabletraychina.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  cabletraychina.com
                  		162.215.255.143
                  		truetrue
                    		unknown
                    mail.cabletraychina.com
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://DynDns.comDynDNSTechnical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haTechnical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://boards.4chan.org/b/Technical information zip.exefalse
                                		high
                                http://www.fontbureau.com/designers?Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://GQ0wtPGdRTxOSCfi6tDx.netTechnical information zip.exe, 00000006.00000002.535012857.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534899990.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534929052.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://cabletraychina.comTechnical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.goodfont.co.krTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://YXbeSX.comTechnical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://boards.4chan.org3RetrievingTechnical information zip.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://images.4chan.org/Technical information zip.exefalse
                                              		high
                                              http://www.urwpp.deDPleaseTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comTechnical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipTechnical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://mail.cabletraychina.comTechnical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:35.0.0 Citrine
                                              Analysis ID:680483
                                              Start date and time: 08/08/202217:20:352022-08-08 17:20:35 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 8m 43s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Technical information zip.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@2/0
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Adjust boot time
                                              • Enable AMSI

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.152.110.14, 20.54.89.106, 40.125.122.176, 20.223.24.244, 52.242.101.226
                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              17:21:59API Interceptor607x Sleep call for process: Technical information zip.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical information zip.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\Technical information zip.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1308
                                              Entropy (8bit):5.345811588615766
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                              MD5:2E016B886BDB8389D2DD0867BE55F87B
                                              SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                              SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                              SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.803329289885253
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Technical information zip.exe
                                              File size:1343488
                                              MD5:ca033c84f5a37105d613c6961b724e97
                                              SHA1:23f023abfef70de9ee2c909fbef985254b2abe26
                                              SHA256:bfcb8ee096a65d7ec9201b67df585a7e715aaaa0aa2dcfec2e6ff208b3559498
                                              SHA512:24efc400092f7fa258e68b2326ad9e075643aa007b7c2de0d50fa0379821e0ea797d2ed771687193e1bc0c3ebd486e59a627743d3094640af859f3e6e47383e2
                                              SSDEEP:24576:VmZs7cDzhEUKK1j2iU3AMYnC1e9IbUDHDl:Vm67c3xXfU3RYn07U
                                              TLSH:8A559E17AFA076C8F4B75BB9DC1F68D043F5EC09616AD2692E5078BA1FBA301D401E27
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b..............0.................. ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:f0f0ccd6d4c4f0e8

                                              Static PE Info

                                              General

                                              Entrypoint:0x4edb02
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x62F06317 [Mon Aug 8 01:12:55 2022 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              mov bh, 1Dh
                                              rol dword ptr [esi+ebp*2], 3Bh
                                              or byte ptr [ecx], FFFFFFD9h
                                              inc ebx
                                              or eax, 130476DCh
                                              imul ebp, dword ptr [ebx-3Bh], 17h
                                              mov dl, 4Dh
                                              xchg byte ptr [edx], bl
                                              add eax, B81E4750h
                                              in eax, dx
                                              or byte ptr [esi], ah

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xedab00x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x5ab5c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xece800xed000False0.747269127439346data7.613311750792489IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xf00000x5ab5c0x5ac00False0.0600330363292011data2.6135874634094827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x14c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xf02080x42028data
                                              RT_ICON0x1322300x468GLS_BINARY_LSB_FIRST
                                              RT_ICON0x1326980x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x134c400x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x135ce80x10828dBase III DBT, version number 0, next free block index 40
                                              RT_ICON0x1465100x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_GROUP_ICON0x14a7380x5adata
                                              RT_GROUP_ICON0x14a7940x3edata
                                              RT_VERSION0x14a7d40x388data

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.4162.215.255.143497805872840032 08/08/22-17:23:56.548969TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249780587192.168.2.4162.215.255.143
                                              192.168.2.4162.215.255.143497805872839723 08/08/22-17:23:56.548892TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49780587192.168.2.4162.215.255.143
                                              192.168.2.4162.215.255.143497805872851779 08/08/22-17:23:56.548969TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49780587192.168.2.4162.215.255.143
                                              192.168.2.4162.215.255.143497805872030171 08/08/22-17:23:56.548892TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49780587192.168.2.4162.215.255.143

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Aug 8, 2022 17:23:54.512552977 CEST6064753192.168.2.48.8.8.8
                                              Aug 8, 2022 17:23:54.689174891 CEST53606478.8.8.8192.168.2.4
                                              Aug 8, 2022 17:23:54.692245960 CEST6490953192.168.2.48.8.8.8
                                              Aug 8, 2022 17:23:54.860028028 CEST53649098.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Aug 8, 2022 17:23:54.512552977 CEST192.168.2.48.8.8.80xebe9Standard query (0)mail.cabletraychina.comA (IP address)IN (0x0001)
                                              Aug 8, 2022 17:23:54.692245960 CEST192.168.2.48.8.8.80x8e2aStandard query (0)mail.cabletraychina.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Aug 8, 2022 17:23:54.689174891 CEST8.8.8.8192.168.2.40xebe9No error (0)mail.cabletraychina.comcabletraychina.comCNAME (Canonical name)IN (0x0001)
                                              Aug 8, 2022 17:23:54.689174891 CEST8.8.8.8192.168.2.40xebe9No error (0)cabletraychina.com162.215.255.143A (IP address)IN (0x0001)
                                              Aug 8, 2022 17:23:54.860028028 CEST8.8.8.8192.168.2.40x8e2aNo error (0)mail.cabletraychina.comcabletraychina.comCNAME (Canonical name)IN (0x0001)
                                              Aug 8, 2022 17:23:54.860028028 CEST8.8.8.8192.168.2.40x8e2aNo error (0)cabletraychina.com162.215.255.143A (IP address)IN (0x0001)

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:17:21:46
                                              Start date:08/08/2022
                                              Path:C:\Users\user\Desktop\Technical information zip.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Technical information zip.exe"
                                              Imagebase:0xee0000
                                              File size:1343488 bytes
                                              MD5 hash:CA033C84F5A37105D613C6961B724E97
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:6
                                              Start time:17:22:05
                                              Start date:08/08/2022
                                              Path:C:\Users\user\Desktop\Technical information zip.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Technical information zip.exe
                                              Imagebase:0xed0000
                                              File size:1343488 bytes
                                              MD5 hash:CA033C84F5A37105D613C6961B724E97
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low

                                              Disassembly

                                              No disassembly