Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QNx8Bu7CNn.exe

Overview

General Information

Sample Name:QNx8Bu7CNn.exe
Analysis ID:715065
MD5:9a9cb1f7f37aa3955cfb4d8991583e31
SHA1:8d63b02db5ce9bb9bb1691ab4a5282d18078191a
SHA256:943089ba13faf44a75c9624e2b68af1f561d5567bb4ba7cf4a2596b129da6a2b
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • QNx8Bu7CNn.exe (PID: 5292 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
    • QNx8Bu7CNn.exe (PID: 5840 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30080:$a13: get_DnsResolver
      • 0x2e88e:$a20: get_LastAccessed
      • 0x309fe:$a27: set_InternalServerPort
      • 0x30d1a:$a30: set_GuidMasterKey
      • 0x2e995:$a33: get_Clipboard
      • 0x2e9a3:$a34: get_Keyboard
      • 0x2fcb3:$a35: get_ShiftKeyDown
      • 0x2fcc4:$a36: get_AltKeyDown
      • 0x2e9b0:$a37: get_Password
      • 0x2f463:$a38: get_PasswordHash
      • 0x30480:$a39: get_DefaultCredentials
      00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32b4d:$s10: logins
              • 0x66f6d:$s10: logins
              • 0x325b4:$s11: credential
              • 0x669d4:$s11: credential
              • 0x2eb95:$g1: get_Clipboard
              • 0x62fb5:$g1: get_Clipboard
              • 0x2eba3:$g2: get_Keyboard
              • 0x62fc3:$g2: get_Keyboard
              • 0x2ebb0:$g3: get_Password
              • 0x62fd0:$g3: get_Password
              • 0x2fea3:$g4: get_CtrlKeyDown
              • 0x642c3:$g4: get_CtrlKeyDown
              • 0x2feb3:$g5: get_ShiftKeyDown
              • 0x642d3:$g5: get_ShiftKeyDown
              • 0x2fec4:$g6: get_AltKeyDown
              • 0x642e4:$g6: get_AltKeyDown
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x30280:$a13: get_DnsResolver
              • 0x646a0:$a13: get_DnsResolver
              • 0x2ea8e:$a20: get_LastAccessed
              • 0x62eae:$a20: get_LastAccessed
              • 0x30bfe:$a27: set_InternalServerPort
              • 0x6501e:$a27: set_InternalServerPort
              • 0x30f1a:$a30: set_GuidMasterKey
              • 0x6533a:$a30: set_GuidMasterKey
              • 0x2eb95:$a33: get_Clipboard
              • 0x62fb5:$a33: get_Clipboard
              • 0x2eba3:$a34: get_Keyboard
              • 0x62fc3:$a34: get_Keyboard
              • 0x2feb3:$a35: get_ShiftKeyDown
              • 0x642d3:$a35: get_ShiftKeyDown
              • 0x2fec4:$a36: get_AltKeyDown
              • 0x642e4:$a36: get_AltKeyDown
              • 0x2ebb0:$a37: get_Password
              • 0x62fd0:$a37: get_Password
              • 0x2f663:$a38: get_PasswordHash
              • 0x63a83:$a38: get_PasswordHash
              • 0x30680:$a39: get_DefaultCredentials
              0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: QNx8Bu7CNn.exeReversingLabs: Detection: 26%
                Source: QNx8Bu7CNn.exeVirustotal: Detection: 32%Perma Link
                Antivirus detection for URL or domain
                Source: ftp://ftp.valvulasthermovalve.cl/cva19491URL Reputation: Label: phishing
                Source: http://ftp.valvulasthermovalve.clAvira URL Cloud: Label: phishing
                Multi AV Scanner detection for domain / URL
                Source: ftp.valvulasthermovalve.clVirustotal: Detection: 17%Perma Link
                Machine Learning detection for sample
                Source: QNx8Bu7CNn.exeJoe Sandbox ML: detected
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
                Source: QNx8Bu7CNn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QNx8Bu7CNn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 190.107.177.239 190.107.177.239
                Source: unknownFTP traffic detected: 190.107.177.239:21 -> 192.168.2.7:49703 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.valvulasthermovalve.cl/cva19491
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510640859.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.valvulasthermovalve.cl
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pzxuZU.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uZTc8nGgAr9KT9EFaKnD.net
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: ftp.valvulasthermovalve.cl
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264316868.0000000001698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: QNx8Bu7CNn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160E9E3
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160E9F0
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160CA4C
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7F080
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E702C2
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7AD20
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7F3C8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526F200
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526C4A8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526B758
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_05261FF8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_05260040
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06044E60
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06049F00
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06049000
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0604A158
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060432A8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06069C00
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283020050.0000000007A90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264316868.0000000001698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.265861063.00000000033C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.265861063.00000000033C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000000.237593514.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezjVS.exeL vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.274768916.00000000043C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283225213.0000000007BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283193737.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.275476275.0000000004480000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000000.262288164.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000002.504395903.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000002.503539178.0000000000978000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exeBinary or memory string: OriginalFilenamezjVS.exeL vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exeReversingLabs: Detection: 26%
                Source: QNx8Bu7CNn.exeVirustotal: Detection: 32%
                Source: QNx8Bu7CNn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNx8Bu7CNn.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: QNx8Bu7CNn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: QNx8Bu7CNn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QNx8Bu7CNn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: QNx8Bu7CNn.exe, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.QNx8Bu7CNn.exe.f00000.0.unpack, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E70841 push eax; retf
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060418AA push es; ret
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06041CC8 push esp; iretd
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060418F6 push es; ret
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06042177 push edi; retn 0000h
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0604D97A push 8B000003h; iretd
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 5332Thread sleep time: -41226s >= -30000s
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 5312Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 2892Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 3148Thread sleep count: 9707 > 30
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWindow / User API: threadDelayed 9707
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 41226
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersion
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware VideoBiosVersion
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264767023.000000000174B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu8M
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \\.\ROOT\cimv2DSOFTWARE\VMware, Inc.\VMware Tools
                Source: QNx8Bu7CNn.exe, 00000001.00000003.301268672.0000000000DAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCapsBBS\8A
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06046A30 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeMemory written: C:\Users\user\Desktop\QNx8Bu7CNn.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Users\user\Desktop\QNx8Bu7CNn.exe VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Users\user\Desktop\QNx8Bu7CNn.exe VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Exfiltration Over Alternative Protocol                		1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Application Layer Protocol                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration11
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model2
                Data from Local System                		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common11
                Software Packing                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QNx8Bu7CNn.exe27%ReversingLabs
                QNx8Bu7CNn.exe32%VirustotalBrowse
                QNx8Bu7CNn.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.0.QNx8Bu7CNn.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                ftp.valvulasthermovalve.cl17%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://pzxuZU.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                ftp://ftp.valvulasthermovalve.cl/cva19491100%URL Reputationphishing
                http://uZTc8nGgAr9KT9EFaKnD.net0%Avira URL Cloudsafe
                http://ftp.valvulasthermovalve.cl100%Avira URL Cloudphishing

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ftp.valvulasthermovalve.cl
                		190.107.177.239
                		truefalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://ftp.valvulasthermovalve.clQNx8Bu7CNn.exe, 00000001.00000002.510640859.0000000002C75000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://www.fontbureau.com/designers/?QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://uZTc8nGgAr9KT9EFaKnD.netQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pzxuZU.comQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      ftp://ftp.valvulasthermovalve.cl/cva19491QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmptrue
                                      • URL Reputation: phishing
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      190.107.177.239
                                      		ftp.valvulasthermovalve.clChile
                                      		265831SOCCOMERCIALWIRENETCHILELTDACLfalse

                                      General Information

                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                      Analysis ID:715065
                                      Start date and time:2022-10-03 15:48:08 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 50s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:QNx8Bu7CNn.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 8.238.190.126, 8.238.85.254, 8.248.131.254, 67.26.139.254, 8.253.207.120, 93.184.221.240
                                      • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      15:49:11API Interceptor723x Sleep call for process: QNx8Bu7CNn.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNx8Bu7CNn.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1308
                                      Entropy (8bit):5.345811588615766
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                      MD5:2E016B886BDB8389D2DD0867BE55F87B
                                      SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                      SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                      SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):6.560020608920164
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:QNx8Bu7CNn.exe
                                      File size:909824
                                      MD5:9a9cb1f7f37aa3955cfb4d8991583e31
                                      SHA1:8d63b02db5ce9bb9bb1691ab4a5282d18078191a
                                      SHA256:943089ba13faf44a75c9624e2b68af1f561d5567bb4ba7cf4a2596b129da6a2b
                                      SHA512:d018ecbd1cb1cea36a4e24e30525e64a1e44d0505859de1dcb93511d2e5a77f508ed0284114387da67dfcb0294d5bd15e5cf9d8629adc99e013660affa2dbac4
                                      SSDEEP:12288:kK4HTNWk67oi/z0xXi5nv9OZT5fEKD501+owI73IskA2IaBunfuEhp+0:ME4xgv9OjbD/owE3IsH2cnmS
                                      TLSH:2F15D02107E19B0BC0525374CDD2C3B0AFE84EB5E6B5C2874FE9FD9BB5771AAAA00145
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.:c..............0.................. ........@.. .......................@............@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4df4c2
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x633AA966 [Mon Oct 3 09:20:38 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdf4700x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x608.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xdd4c80xdd600False0.6838815905561829data6.567722609504779IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xe00000x6080x800False0.3310546875data3.444132612113464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xe20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xe00900x378data
                                      RT_MANIFEST0xe04180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 3, 2022 15:49:31.703001976 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:31.954325914 CEST2149703190.107.177.239192.168.2.7
                                      Oct 3, 2022 15:49:31.954523087 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:31.960650921 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:32.201725006 CEST2149703190.107.177.239192.168.2.7
                                      Oct 3, 2022 15:49:32.201850891 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:32.207669973 CEST2149703190.107.177.239192.168.2.7
                                      Oct 3, 2022 15:49:32.207695961 CEST2149703190.107.177.239192.168.2.7
                                      Oct 3, 2022 15:49:32.207709074 CEST2149703190.107.177.239192.168.2.7
                                      Oct 3, 2022 15:49:32.207739115 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:32.207787037 CEST4970321192.168.2.7190.107.177.239
                                      Oct 3, 2022 15:49:32.207787037 CEST4970321192.168.2.7190.107.177.239

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 3, 2022 15:49:31.417812109 CEST5575253192.168.2.78.8.8.8
                                      Oct 3, 2022 15:49:31.685353041 CEST53557528.8.8.8192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 3, 2022 15:49:31.417812109 CEST192.168.2.78.8.8.80xa279Standard query (0)ftp.valvulasthermovalve.clA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 3, 2022 15:49:31.685353041 CEST8.8.8.8192.168.2.70xa279No error (0)ftp.valvulasthermovalve.cl190.107.177.239A (IP address)IN (0x0001)false

                                      FTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Oct 3, 2022 15:49:32.201725006 CEST2149703190.107.177.239192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Oct 3, 2022 15:49:32.207695961 CEST2149703190.107.177.239192.168.2.7220 Logout.

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:15:49:01
                                      Start date:03/10/2022
                                      Path:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                      Imagebase:0xf00000
                                      File size:909824 bytes
                                      MD5 hash:9A9CB1F7F37AA3955CFB4D8991583E31
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:1
                                      Start time:15:49:13
                                      Start date:03/10/2022
                                      Path:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                      Imagebase:0x500000
                                      File size:909824 bytes
                                      MD5 hash:9A9CB1F7F37AA3955CFB4D8991583E31
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      Disassembly

                                      No disassembly