Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BANK COPY.exe

Overview

General Information

Sample Name:BANK COPY.exe
Analysis ID:680551
MD5:0197c423eddeb8a0ed293e96a152f5a2
SHA1:068261f9991202b0a75d813f0c25267d28e4fb51
SHA256:54877cf2e0d27d13a5e94fcfb0eae5749bfc56e0e2f548f6410e6e4d56f3ea3f
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • BANK COPY.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\BANK COPY.exe" MD5: 0197C423EDDEB8A0ED293E96A152F5A2)
    • schtasks.exe (PID: 5308 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4692 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • yqWDN.exe (PID: 4264 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yqWDN.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "emin.gasimov@absheron-sharab.az", "Password": "emin077", "Host": "mail.absheron-sharab.az"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x3017e:$a13: get_DnsResolver
      • 0x2e978:$a20: get_LastAccessed
      • 0x30afc:$a27: set_InternalServerPort
      • 0x30e18:$a30: set_GuidMasterKey
      • 0x2ea7f:$a33: get_Clipboard
      • 0x2ea8d:$a34: get_Keyboard
      • 0x2fd96:$a35: get_ShiftKeyDown
      • 0x2fda7:$a36: get_AltKeyDown
      • 0x2ea9a:$a37: get_Password
      • 0x2f546:$a38: get_PasswordHash
      • 0x3057e:$a39: get_DefaultCredentials
      00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.BANK COPY.exe.3d1e9d8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.BANK COPY.exe.3d1e9d8.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              7.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  7.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x32c58:$s10: logins
                  • 0x326bf:$s11: credential
                  • 0x2ec7f:$g1: get_Clipboard
                  • 0x2ec8d:$g2: get_Keyboard
                  • 0x2ec9a:$g3: get_Password
                  • 0x2ff86:$g4: get_CtrlKeyDown
                  • 0x2ff96:$g5: get_ShiftKeyDown
                  • 0x2ffa7:$g6: get_AltKeyDown
                  Click to see the 8 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: BANK COPY.exeVirustotal: Detection: 54%Perma Link
                  Source: BANK COPY.exeReversingLabs: Detection: 39%
                  Antivirus / Scanner detection for submitted sample
                  Source: BANK COPY.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gPxsznxm.exeAvira: detection malicious, Label: HEUR/AGEN.1235476
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gPxsznxm.exeReversingLabs: Detection: 39%
                  Machine Learning detection for sample
                  Source: BANK COPY.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gPxsznxm.exeJoe Sandbox ML: detected
                  Source: 7.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "emin.gasimov@absheron-sharab.az", "Password": "emin077", "Host": "mail.absheron-sharab.az"}
                  Source: BANK COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: BANK COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegSvcs.pdb, source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr
                  Source: Binary string: RegSvcs.pdb source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: Joe Sandbox ViewIP Address: 162.241.217.198 162.241.217.198
                  Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.241.217.198:587
                  Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.241.217.198:587
                  Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://CqUOsT.com
                  Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lzmd6XB2MFu.net
                  Source: RegSvcs.exe, 00000007.00000002.517926898.000000000353A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.absheron-sharab.az
                  Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: BANK COPY.exe, 00000000.00000003.254135945.0000000005B75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: BANK COPY.exe, 00000000.00000003.246868723.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247238905.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247092273.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                  Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
                  Source: BANK COPY.exe, 00000000.00000003.250261634.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251054745.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250645734.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251128359.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250676479.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/de
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: BANK COPY.exe, 00000000.00000003.250092163.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com;z
                  Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsFny
                  Source: BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comany
                  Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comedta
                  Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                  Source: BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgritogy
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comouyn
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueed
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com-uH
                  Source: BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comY
                  Source: BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comcY
                  Source: BANK COPY.exe, 00000000.00000003.242351755.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comick
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245247770.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245400300.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244817743.0000000005B64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: BANK COPY.exe, 00000000.00000003.253812232.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253923382.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253743728.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253982107.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242292859.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242191863.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coma-dt
                  Source: BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242330356.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242361494.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coms
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr0t
                  Source: BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krK
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242721047.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242814661.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242745354.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comP
                  Source: BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comk
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deF
                  Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dec
                  Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: mail.absheron-sharab.az
                  Source: BANK COPY.exe, 00000000.00000002.282858977.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Modifies the hosts file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.BANK COPY.exe.2c36370.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                  Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBA0C495Cu002dB6A6u002d4174u002d8102u002d6CC97287D619u007d/u0037EDAF7E5u002dACABu002d4CCFu002dA998u002d63BF57EC015A.csLarge array initialization: .cctor: array initializer size 11625
                  .NET source code contains very large strings
                  Source: BANK COPY.exe, AddCompanyForm.csLong String: Length: 20037
                  Source: gPxsznxm.exe.0.dr, AddCompanyForm.csLong String: Length: 20037
                  Source: 0.0.BANK COPY.exe.780000.0.unpack, AddCompanyForm.csLong String: Length: 20037
                  Source: BANK COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.BANK COPY.exe.2c36370.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                  Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                  Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_02ADE820
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_02ADE810
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_02ADBF54
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B3FA0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B5630
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B2D00
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075BD468
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B4C10
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B63F8
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075BC070
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B9770
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B9726
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B5623
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B5620
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B7ED0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B3EE1
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B7EE0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075BC540
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B85C0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B85B0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8C40
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B4C00
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8C30
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B3340
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B3330
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B6330
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B6389
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8A52
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8A60
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8200
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075BD938
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B81F0
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8818
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_075B8808
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_08020040
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_08020006
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_08020283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626BB18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626C878
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06261FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06260040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069022E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06904D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06901180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0697C7C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06979338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06974C68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06972DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06976D18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0697E950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06974418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069792D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06972D80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06976BC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069AC7E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A65F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A721A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A1D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ADBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A3330
                  Source: BANK COPY.exe, 00000000.00000000.238693241.0000000000844000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000003.265022832.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.308217029.00000000074B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemqWKvSGkaDYLcvnhfrECeVwbtwhMnIPPYdRhIA.exe4 vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemqWKvSGkaDYLcvnhfrECeVwbtwhMnIPPYdRhIA.exe4 vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.282858977.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.292700104.0000000003DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
                  Source: BANK COPY.exe, 00000000.00000002.292700104.0000000003DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe
                  Source: BANK COPY.exeBinary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                  Source: BANK COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: gPxsznxm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: BANK COPY.exeVirustotal: Detection: 54%
                  Source: BANK COPY.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile read: C:\Users\user\Desktop\BANK COPY.exeJump to behavior
                  Source: BANK COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\BANK COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\BANK COPY.exe "C:\Users\user\Desktop\BANK COPY.exe"
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\Desktop\BANK COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile created: C:\Users\user\AppData\Roaming\gPxsznxm.exeJump to behavior
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1205.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: BANK COPY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\BANK COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
                  Source: C:\Users\user\Desktop\BANK COPY.exeMutant created: \Sessions\1\BaseNamedObjects\VvtJSeKnwrzeyitZ
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_01
                  Source: BANK COPY.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
                  Source: BANK COPY.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 7.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: BANK COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: BANK COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegSvcs.pdb, source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr
                  Source: Binary string: RegSvcs.pdb source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: BANK COPY.exe, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: gPxsznxm.exe.0.dr, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: 0.0.BANK COPY.exe.780000.0.unpack, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: C:\Users\user\Desktop\BANK COPY.exeCode function: 0_2_08025045 push FFFFFF8Bh; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE26 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE22 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE2E push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE2A push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE36 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE32 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE3A push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE16 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE1E push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE1A push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AE5D push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AC41 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626ACBE push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AD56 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0626AA09 push es; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06263139 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A6ED4 push ss; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A165F push es; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069A166A push es; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC59 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC5D push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC51 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC55 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC4D push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC71 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC69 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC6D push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC61 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABC65 push es; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069ABBE2 push es; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.749151091847694
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.749151091847694
                  Source: C:\Users\user\Desktop\BANK COPY.exeFile created: C:\Users\user\AppData\Roaming\gPxsznxm.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\BANK COPY.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 5240Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 3400Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\BANK COPY.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9787
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: RegSvcs.exe, 00000007.00000003.329884668.000000000665A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.521575260.000000000665A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000003.328729259.000000000664C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbooleanMappingStrings
                  Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069764D0 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FF7008
                  Modifies the hosts file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\BANK COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
                  Source: C:\Users\user\Desktop\BANK COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Users\user\Desktop\BANK COPY.exe VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BANK COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the hosts file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		211
                  Process Injection                  		1
                  File and Directory Permissions Modification                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		114
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		311
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                  Obfuscated Files or Information                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		Scheduled Transfer11
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
                  Software Packing                  		LSA Secrets131
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Remote System Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job211
                  Process Injection                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                  Hidden Files and Directories                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 680551 Sample: BANK COPY.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 11 other signatures 2->54 7 BANK COPY.exe 6 2->7         started        11 yqWDN.exe 2 2->11         started        13 yqWDN.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\Roaming\gPxsznxm.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp1205.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\BANK COPY.exe.log, ASCII 7->36 dropped 56 Writes to foreign memory regions 7->56 58 Injects a PE file into a foreign processes 7->58 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 38 mail.absheron-sharab.az 162.241.217.198, 49752, 587 UNIFIEDLAYER-AS-1US United States 15->38 28 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 15->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 15->30 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->42 44 Tries to steal Mail credentials (via file / registry access) 15->44 46 5 other signatures 15->46 26 conhost.exe 20->26         started        file8 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  BANK COPY.exe55%VirustotalBrowse
                  BANK COPY.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  BANK COPY.exe100%AviraHEUR/AGEN.1235476
                  BANK COPY.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\gPxsznxm.exe100%AviraHEUR/AGEN.1235476
                  C:\Users\user\AppData\Roaming\gPxsznxm.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\gPxsznxm.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe0%MetadefenderBrowse
                  C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe0%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  7.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  0.0.BANK COPY.exe.780000.0.unpack100%AviraHEUR/AGEN.1235476Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.fonts.comick0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://CqUOsT.com0%Avira URL Cloudsafe
                  http://mail.absheron-sharab.az0%Avira URL Cloudsafe
                  http://www.fontbureau.comgritogy0%Avira URL Cloudsafe
                  http://lzmd6XB2MFu.net0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0t0%Avira URL Cloudsafe
                  http://www.fontbureau.comedta0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.comessed0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.fontbureau.comany0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.krK0%Avira URL Cloudsafe
                  http://www.fontbureau.com;z0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnt-p0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.fontbureau.com.TTF0%URL Reputationsafe
                  http://www.fontbureau.comueed0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comouyn0%Avira URL Cloudsafe
                  http://www.agfamonotype.0%URL Reputationsafe
                  http://www.sajatypeworks.coms0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.urwpp.deF0%URL Reputationsafe
                  http://www.fonts.com-uH0%Avira URL Cloudsafe
                  http://www.fonts.comY0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fonts.comcY0%Avira URL Cloudsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.tiro.comP0%URL Reputationsafe
                  http://www.tiro.comk0%URL Reputationsafe
                  http://www.fontbureau.comitu0%URL Reputationsafe
                  http://www.sajatypeworks.coma-dt0%Avira URL Cloudsafe
                  http://www.fontbureau.comalsFny0%Avira URL Cloudsafe
                  http://www.urwpp.dec0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.absheron-sharab.az
                  		162.241.217.198
                  		truefalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fonts.comickBANK COPY.exe, 00000000.00000003.242351755.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/bTheBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://CqUOsT.comRegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail.absheron-sharab.azRegSvcs.exe, 00000007.00000002.517926898.000000000353A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comgritogyBANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://lzmd6XB2MFu.netRegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sandoll.co.kr0tBANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comedtaBANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242721047.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242814661.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comessedBANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comBANK COPY.exe, 00000000.00000003.246868723.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247238905.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247092273.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242292859.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242191863.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comanyBANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krKBANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com;zBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.founder.com.cn/cnt-pBANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com.TTFBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comueedBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/deBANK COPY.exe, 00000000.00000003.250261634.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251054745.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250645734.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251128359.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250676479.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comFBANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comouynBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.agfamonotype.BANK COPY.exe, 00000000.00000003.254135945.0000000005B75000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comsBANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242330356.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242361494.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deFBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.com-uHBANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comYBANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245247770.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245400300.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244817743.0000000005B64000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlBANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlBANK COPY.exe, 00000000.00000003.250092163.0000000005B9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comcYBANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.monotype.BANK COPY.exe, 00000000.00000003.253812232.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253923382.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253743728.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253982107.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comPBANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242745354.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comkBANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comituBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.coma-dtBANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.comalsFnyBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.decBANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.241.217.198
                                                		mail.absheron-sharab.azUnited States
                                                		46606UNIFIEDLAYER-AS-1USfalse

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:680551
                                                Start date and time: 08/08/202219:54:082022-08-08 19:54:08 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 41s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:BANK COPY.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:32
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, fs.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                19:55:16API Interceptor1x Sleep call for process: BANK COPY.exe modified
                                                19:55:29API Interceptor662x Sleep call for process: RegSvcs.exe modified
                                                19:55:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                19:55:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK COPY.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\BANK COPY.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yqWDN.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):142
                                                Entropy (8bit):5.090621108356562
                                                Encrypted:false
                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                C:\Users\user\AppData\Local\Temp\tmp1205.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\BANK COPY.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1641
                                                Entropy (8bit):5.184328660661114
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBDYtn:cbh47TlNQ//rydbz9I3YODOLNdq3s
                                                MD5:86B04371CA462A6BE046C3EAA9671823
                                                SHA1:3E8E41B4250A4563ED07C9F8AF74B78345B4F257
                                                SHA-256:2D37DC322D4039166A732F08E8FE4B62C7D48A1B5274FF222D9371D94E247170
                                                SHA-512:39102335C05F2D7B6892DD425B8A42B1A9ABE5A062F5B7F1799476BE1D1CA0665679C350E555B18DB823FA79E386F1348DE93C560CA76AFFEEC03429C3DF861B
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                C:\Users\user\AppData\Roaming\gPxsznxm.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\BANK COPY.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):798208
                                                Entropy (8bit):7.742343453025608
                                                Encrypted:false
                                                SSDEEP:12288:1lEsuE02iN2UP3L/2+vCU48RXnnYph89YSrHp1S+tzTyy+dT9Z25MqT:4V18UfL5vO8R3YpuYSrHLSozTyJ9Zk
                                                MD5:0197C423EDDEB8A0ED293E96A152F5A2
                                                SHA1:068261F9991202B0A75D813F0C25267D28E4FB51
                                                SHA-256:54877CF2E0D27D13A5E94FCFB0EAE5749BFC56E0E2F548F6410E6E4D56F3EA3F
                                                SHA-512:8223327EE59D6B93CE6CA2B916DC1583857A66BDF1B4777BD6855C46C3E27563F260CF89138128E7DF60286867CCC39E92734DF82D89C0659D835E30F2192C05
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 39%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..b..............P......$......z&... ...@....@.. ....................................@.................................(&..O....@..D ........................................................................... ............... ..H............text........ ...................... ..`.rsrc...D ...@..."..................@..@.reloc...............,..............@..B................\&......H.......8~..XH..............._............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

                                                C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:modified
                                                Size (bytes):45152
                                                Entropy (8bit):6.149629800481177
                                                Encrypted:false
                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                C:\Windows\System32\drivers\etc\hosts

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):835
                                                Entropy (8bit):4.694294591169137
                                                Encrypted:false
                                                SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                MD5:6EB47C1CF858E25486E42440074917F2
                                                SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                Malicious:true
                                                Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1141
                                                Entropy (8bit):4.44831826838854
                                                Encrypted:false
                                                SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                Malicious:false
                                                Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.742343453025608
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:BANK COPY.exe
                                                File size:798208
                                                MD5:0197c423eddeb8a0ed293e96a152f5a2
                                                SHA1:068261f9991202b0a75d813f0c25267d28e4fb51
                                                SHA256:54877cf2e0d27d13a5e94fcfb0eae5749bfc56e0e2f548f6410e6e4d56f3ea3f
                                                SHA512:8223327ee59d6b93ce6ca2b916dc1583857a66bdf1b4777bd6855c46c3e27563f260cf89138128e7df60286867ccc39e92734df82d89c0659d835e30f2192c05
                                                SSDEEP:12288:1lEsuE02iN2UP3L/2+vCU48RXnnYph89YSrHp1S+tzTyy+dT9Z25MqT:4V18UfL5vO8R3YpuYSrHLSozTyJ9Zk
                                                TLSH:7F05F1F06AF97668F035637636D0A03C3BE2E90BD905E1399DA7934D9752EC046E1A33
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..b..............P......$......z&... ...@....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:0220839690409040

                                                Static PE Info

                                                General

                                                Entrypoint:0x4c267a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x62F10A3F [Mon Aug 8 13:06:07 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc26280x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x2044.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xc06800xc0800False0.8528168120941558data7.749151091847694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xc40000x20440x2200False0.8245634191176471data7.364406728241504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xc80000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xc41300x19efPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                RT_GROUP_ICON0xc5b200x14data
                                                RT_VERSION0xc5b340x324data
                                                RT_MANIFEST0xc5e580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 19:55:48.572746038 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:48.714828014 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:48.715018034 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:48.959501982 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:48.988403082 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.130188942 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.131726980 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.273731947 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.274251938 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.455485106 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.456295967 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.597950935 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.598197937 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.751415014 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.820390940 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.963474035 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.963519096 CEST58749752162.241.217.198192.168.2.3
                                                Aug 8, 2022 19:55:49.963586092 CEST49752587192.168.2.3162.241.217.198
                                                Aug 8, 2022 19:55:49.963629961 CEST49752587192.168.2.3162.241.217.198

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 19:55:48.381268978 CEST5772353192.168.2.38.8.8.8
                                                Aug 8, 2022 19:55:48.529407978 CEST53577238.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 8, 2022 19:55:48.381268978 CEST192.168.2.38.8.8.80x2e54Standard query (0)mail.absheron-sharab.azA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 8, 2022 19:55:48.529407978 CEST8.8.8.8192.168.2.30x2e54No error (0)mail.absheron-sharab.az162.241.217.198A (IP address)IN (0x0001)

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Aug 8, 2022 19:55:48.959501982 CEST58749752162.241.217.198192.168.2.3220-box5507.bluehost.com ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 11:55:48 -0600
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Aug 8, 2022 19:55:48.988403082 CEST49752587192.168.2.3162.241.217.198EHLO 835180
                                                Aug 8, 2022 19:55:49.130188942 CEST58749752162.241.217.198192.168.2.3250-box5507.bluehost.com Hello 835180 [102.129.143.3]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPE_CONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Aug 8, 2022 19:55:49.131726980 CEST49752587192.168.2.3162.241.217.198AUTH login ZW1pbi5nYXNpbW92QGFic2hlcm9uLXNoYXJhYi5heg==
                                                Aug 8, 2022 19:55:49.273731947 CEST58749752162.241.217.198192.168.2.3334 UGFzc3dvcmQ6
                                                Aug 8, 2022 19:55:49.455485106 CEST58749752162.241.217.198192.168.2.3235 Authentication succeeded
                                                Aug 8, 2022 19:55:49.456295967 CEST49752587192.168.2.3162.241.217.198MAIL FROM:<emin.gasimov@absheron-sharab.az>
                                                Aug 8, 2022 19:55:49.597950935 CEST58749752162.241.217.198192.168.2.3250 OK
                                                Aug 8, 2022 19:55:49.598197937 CEST49752587192.168.2.3162.241.217.198RCPT TO:<zakirrome@ostdubai.com>
                                                Aug 8, 2022 19:55:49.751415014 CEST58749752162.241.217.198192.168.2.3550-Domain absheron-sharab.az has exceeded the max emails per hour (150/150
                                                550 (100%)) allowed. Message discarded.
                                                Aug 8, 2022 19:55:49.963474035 CEST58749752162.241.217.198192.168.2.3421 box5507.bluehost.com lost input connection

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:19:55:06
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\BANK COPY.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\BANK COPY.exe"
                                                Imagebase:0x780000
                                                File size:798208 bytes
                                                MD5 hash:0197C423EDDEB8A0ED293E96A152F5A2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low

                                                General

                                                Target ID:5
                                                Start time:19:55:24
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
                                                Imagebase:0x7ff7c9170000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:19:55:25
                                                Start date:08/08/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:7
                                                Start time:19:55:25
                                                Start date:08/08/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0xdb0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high

                                                General

                                                Target ID:14
                                                Start time:19:55:39
                                                Start date:08/08/2022
                                                Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                Imagebase:0x6e0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Antivirus matches:
                                                • Detection: 0%, Metadefender, Browse
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high

                                                General

                                                Target ID:15
                                                Start time:19:55:39
                                                Start date:08/08/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:20
                                                Start time:19:55:48
                                                Start date:08/08/2022
                                                Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                Imagebase:0x3b0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                General

                                                Target ID:22
                                                Start time:19:55:48
                                                Start date:08/08/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                No disassembly