Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rdwREyLU2K.exe

Overview

General Information

Sample Name:rdwREyLU2K.exe
Analysis ID:715064
MD5:25d6c4747284bf8489b1faa56a1ddd42
SHA1:49112625189085cdde41b13809efa60d3d26fc5a
SHA256:17589e726e9a629be05b4a39848c3a399549b646c38bbe9ac4c301a261dacc8f
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • rdwREyLU2K.exe (PID: 4240 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
    • rdwREyLU2K.exe (PID: 4844 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
    • rdwREyLU2K.exe (PID: 5436 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "YAWALESS123@@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2feda:$a13: get_DnsResolver
      • 0x2e689:$a20: get_LastAccessed
      • 0x3086c:$a27: set_InternalServerPort
      • 0x30b89:$a30: set_GuidMasterKey
      • 0x2e790:$a33: get_Clipboard
      • 0x2e79e:$a34: get_Keyboard
      • 0x2fb10:$a35: get_ShiftKeyDown
      • 0x2fb21:$a36: get_AltKeyDown
      • 0x2e7ab:$a37: get_Password
      • 0x2f2c0:$a38: get_PasswordHash
      • 0x302d7:$a39: get_DefaultCredentials
      00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.0.rdwREyLU2K.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.0.rdwREyLU2K.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              2.0.rdwREyLU2K.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x329ce:$s10: logins
              • 0x32420:$s11: credential
              • 0x2e990:$g1: get_Clipboard
              • 0x2e99e:$g2: get_Keyboard
              • 0x2e9ab:$g3: get_Password
              • 0x2fd00:$g4: get_CtrlKeyDown
              • 0x2fd10:$g5: get_ShiftKeyDown
              • 0x2fd21:$g6: get_AltKeyDown
              2.0.rdwREyLU2K.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x300da:$a13: get_DnsResolver
              • 0x2e889:$a20: get_LastAccessed
              • 0x30a6c:$a27: set_InternalServerPort
              • 0x30d89:$a30: set_GuidMasterKey
              • 0x2e990:$a33: get_Clipboard
              • 0x2e99e:$a34: get_Keyboard
              • 0x2fd10:$a35: get_ShiftKeyDown
              • 0x2fd21:$a36: get_AltKeyDown
              • 0x2e9ab:$a37: get_Password
              • 0x2f4c0:$a38: get_PasswordHash
              • 0x304d7:$a39: get_DefaultCredentials
              0.2.rdwREyLU2K.exe.3db5fb8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: rdwREyLU2K.exeReversingLabs: Detection: 29%
                Source: rdwREyLU2K.exeVirustotal: Detection: 29%Perma Link
                Machine Learning detection for sample
                Source: rdwREyLU2K.exeJoe Sandbox ML: detected
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "YAWALESS123@@"}
                Source: rdwREyLU2K.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: rdwREyLU2K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: global trafficTCP traffic: 192.168.2.5:49701 -> 77.88.21.158:587
                Source: global trafficTCP traffic: 192.168.2.5:49701 -> 77.88.21.158:587
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DRHKlr5ijAqmEIU.n
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567534977.00000000030BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DRHKlr5ijAqmEIU.net
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DtWdBM.com
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globaHL
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                Source: rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globaQMx
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                Source: rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000000.00000003.304752494.000000000106C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%smtp.yandex.comviorel5000
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/reposit
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC58A4998u002d7433u002d494Bu002dB2D2u002dA8FEAD990F31u007d/D5CBB07Eu002d511Du002d490Eu002dB2A4u002d9220D0937D05.csLarge array initialization: .cctor: array initializer size 10527
                Source: rdwREyLU2K.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6DD1
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6DE0
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6968
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6978
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEF340
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEF688
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BE63E3
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEB018
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059FC5E8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059F1FF8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059F0040
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EB7E88
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBD2E8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EB1D28
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: String function: 059F5990 appears 55 times
                Source: rdwREyLU2K.exe, 00000000.00000002.338876960.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.338876960.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.348203894.0000000007520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.341000791.00000000039C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.341488518.0000000003A80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000000.295359703.0000000000582000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVrBY.exeL vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.348095716.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.347978184.00000000072F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000002.00000002.562932468.0000000000938000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000002.00000000.335922021.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exeBinary or memory string: OriginalFilenameVrBY.exeL vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exeReversingLabs: Detection: 29%
                Source: rdwREyLU2K.exeVirustotal: Detection: 29%
                Source: rdwREyLU2K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rdwREyLU2K.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                Source: rdwREyLU2K.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: rdwREyLU2K.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: rdwREyLU2K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: rdwREyLU2K.exe, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.rdwREyLU2K.exe.580000.0.unpack, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_04F9F618 pushad ; retf
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBA582 push FFFFFF8Dh; retf
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMENSYSTEM\CONTROLSET001\SERVICES\DISK\ENUM
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 1004Thread sleep time: -41226s >= -30000s
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 1888Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 6064Thread sleep count: 9570 > 30
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindow / User API: threadDelayed 9570
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 41226
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 922337203685477
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2VM Additions S3 Trio32/64
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareFSELECT * FROM Win32_VideoController
                Source: rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUDSOFTWARE\VMware, Inc.\VMware Tools
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System VideoBiosVersion
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBE998 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeMemory written: C:\Users\user\Desktop\rdwREyLU2K.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Users\user\Desktop\rdwREyLU2K.exe VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Users\user\Desktop\rdwREyLU2K.exe VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		11
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol11
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model2
                Data from Local System                		Scheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSH1
                Clipboard Data                		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rdwREyLU2K.exe29%ReversingLabs
                rdwREyLU2K.exe30%VirustotalBrowse
                rdwREyLU2K.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.0.rdwREyLU2K.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://DtWdBM.com0%VirustotalBrowse
                http://DRHKlr5ijAqmEIU.n0%Avira URL Cloudsafe
                http://secure.globaQMx0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://DtWdBM.com0%Avira URL Cloudsafe
                https://api.ipify.org%smtp.yandex.comviorel50000%Avira URL Cloudsafe
                http://crl.globaHL0%Avira URL Cloudsafe
                http://DRHKlr5ijAqmEIU.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                smtp.yandex.ru
                		77.88.21.158
                		truefalse
                  		high
                  smtp.yandex.com
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTherdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://DtWdBM.comrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://DRHKlr5ijAqmEIU.nrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://secure.globaQMxrdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.org%smtp.yandex.comviorel5000rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000000.00000003.304752494.000000000106C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://smtp.yandex.comrdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTherdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsirdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaserdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaserdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.globaHLrdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.ipify.org%rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://DRHKlr5ijAqmEIU.netrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567534977.00000000030BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          77.88.21.158
                                          		smtp.yandex.ruRussian Federation
                                          		13238YANDEXRUfalse

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:715064
                                          Start date and time:2022-10-03 15:47:33 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 43s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:rdwREyLU2K.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:6
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:48:39API Interceptor716x Sleep call for process: rdwREyLU2K.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rdwREyLU2K.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1308
                                          Entropy (8bit):5.345811588615766
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.564911842144199
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:rdwREyLU2K.exe
                                          File size:909824
                                          MD5:25d6c4747284bf8489b1faa56a1ddd42
                                          SHA1:49112625189085cdde41b13809efa60d3d26fc5a
                                          SHA256:17589e726e9a629be05b4a39848c3a399549b646c38bbe9ac4c301a261dacc8f
                                          SHA512:62c9f541b7db2be928de9678b050efe98769b573fbf4855ec343a78527618c4c63c7a0c3bd1fda26d9232dc27fd47bf254d6c4984f86d2397d4266c19f6216f9
                                          SSDEEP:12288:zK4HTNfVv2SM15g7MW6ZWPVSmb33VqYs/+exRtOM7LXCtj:fv24MlQPPVqd/+e9OM+
                                          TLSH:1D15D02203E69B0AC0665374CDD3C3F0AFE84E61E271C2874FE9BD6BB57B1A9B641145
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@.:c..............0.................. ........@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4df51a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x633AC040 [Mon Oct 3 10:58:08 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xdf4c80x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x608.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xdd5200xdd600False0.6839907714568041data6.57261861619457IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xe00000x6080x800False0.33154296875data3.440909406394536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xe00900x378data
                                          RT_MANIFEST0xe04180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2022 15:49:06.042037010 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.098341942 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.098545074 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.383357048 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.383822918 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.440113068 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.440150023 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.440598965 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.499119997 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.552879095 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.612731934 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.612771034 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.612795115 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.612816095 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.612936974 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.613003016 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.640078068 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.698756933 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.744678974 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.767220020 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.823750973 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.839813948 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.896342993 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.897025108 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:06.971704960 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:06.972553968 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.034334898 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.035088062 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.103673935 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.104135990 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.160567999 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.162266970 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.162421942 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.163043022 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.163139105 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:49:07.218589067 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.219239950 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.598264933 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:49:07.651074886 CEST49701587192.168.2.577.88.21.158
                                          Oct 3, 2022 15:50:22.598304033 CEST5874970177.88.21.158192.168.2.5
                                          Oct 3, 2022 15:50:22.598372936 CEST49701587192.168.2.577.88.21.158

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2022 15:49:05.970387936 CEST6084153192.168.2.58.8.8.8
                                          Oct 3, 2022 15:49:05.989950895 CEST53608418.8.8.8192.168.2.5
                                          Oct 3, 2022 15:49:06.006103992 CEST6189353192.168.2.58.8.8.8
                                          Oct 3, 2022 15:49:06.023452997 CEST53618938.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 3, 2022 15:49:05.970387936 CEST192.168.2.58.8.8.80x8d8Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:49:06.006103992 CEST192.168.2.58.8.8.80x1e69Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 3, 2022 15:49:05.989950895 CEST8.8.8.8192.168.2.50x8d8No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                          Oct 3, 2022 15:49:05.989950895 CEST8.8.8.8192.168.2.50x8d8No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:49:06.023452997 CEST8.8.8.8192.168.2.50x1e69No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                          Oct 3, 2022 15:49:06.023452997 CEST8.8.8.8192.168.2.50x1e69No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Oct 3, 2022 15:49:06.383357048 CEST5874970177.88.21.158192.168.2.5220 iva7-38cb93e4c9b7.qloud-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1664804946-PxPyYXd6eg-n6hK4HMm
                                          Oct 3, 2022 15:49:06.383822918 CEST49701587192.168.2.577.88.21.158EHLO 124406
                                          Oct 3, 2022 15:49:06.440150023 CEST5874970177.88.21.158192.168.2.5250-iva7-38cb93e4c9b7.qloud-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Oct 3, 2022 15:49:06.440598965 CEST49701587192.168.2.577.88.21.158STARTTLS
                                          Oct 3, 2022 15:49:06.499119997 CEST5874970177.88.21.158192.168.2.5220 Go ahead

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:15:48:26
                                          Start date:03/10/2022
                                          Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Imagebase:0x580000
                                          File size:909824 bytes
                                          MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:1
                                          Start time:15:48:45
                                          Start date:03/10/2022
                                          Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Imagebase:0xa0000
                                          File size:909824 bytes
                                          MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Target ID:2
                                          Start time:15:48:45
                                          Start date:03/10/2022
                                          Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                          Imagebase:0x4a0000
                                          File size:909824 bytes
                                          MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          No disassembly