Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Analysis ID:	756189
MD5:	f976242274e3a8b6859f43212321e5cd
SHA1:	4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:	49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe (PID: 3916 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe MD5: F976242274E3A8B6859F43212321E5CD)

SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe (PID: 4520 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe MD5: F976242274E3A8B6859F43212321E5CD)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x306fd:$a3: MailAccountConfiguration 0x30716:$a5: SmtpAccountConfiguration 0x306dd:$a8: set_BindingAccountConfiguration 0x2f67c:$a11: get_securityProfile 0x2f51d:$a12: get_useSeparateFolderTree 0x30e4f:$a13: get_DnsResolver 0x2f92c:$a14: get_archivingScope 0x2f754:$a15: get_providerName 0x31e2a:$a17: get_priority 0x31401:$a18: get_advancedParameters 0x30817:$a19: get_disabledByRestriction 0x2f2f6:$a20: get_LastAccessed 0x2f9c6:$a21: get_avatarType 0x31518:$a22: get_signaturePresets 0x2ffbc:$a23: get_enableLog 0x2f7d1:$a26: set_accountName 0x31963:$a27: set_InternalServerPort 0x2ec90:$a28: set_bindingConfigurationUID 0x314de:$a29: set_IdnAddress 0x31cde:$a30: set_GuidMasterKey 0x2f82c:$a31: set_username
00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x20d3:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2b36:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1f68:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x21f4:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x11c3ed:$a3: MailAccountConfiguration 0x151a0d:$a3: MailAccountConfiguration 0x186e2d:$a3: MailAccountConfiguration 0x11c406:$a5: SmtpAccountConfiguration 0x151a26:$a5: SmtpAccountConfiguration 0x186e46:$a5: SmtpAccountConfiguration 0x11c3cd:$a8: set_BindingAccountConfiguration 0x1519ed:$a8: set_BindingAccountConfiguration 0x186e0d:$a8: set_BindingAccountConfiguration 0x11b36c:$a11: get_securityProfile 0x15098c:$a11: get_securityProfile 0x185dac:$a11: get_securityProfile 0x11b20d:$a12: get_useSeparateFolderTree 0x15082d:$a12: get_useSeparateFolderTree 0x185c4d:$a12: get_useSeparateFolderTree 0x11cb3f:$a13: get_DnsResolver 0x15215f:$a13: get_DnsResolver 0x18757f:$a13: get_DnsResolver 0x11b61c:$a14: get_archivingScope 0x150c3c:$a14: get_archivingScope 0x18605c:$a14: get_archivingScope
00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x17131:$a3: MailAccountConfiguration 0x1714a:$a5: SmtpAccountConfiguration 0x17111:$a8: set_BindingAccountConfiguration 0x1623b:$a11: get_securityProfile 0x160df:$a12: get_useSeparateFolderTree 0x177de:$a13: get_DnsResolver 0x164e7:$a14: get_archivingScope 0x16313:$a15: get_providerName 0x186a0:$a17: get_priority 0x17d63:$a18: get_advancedParameters 0x1724b:$a19: get_disabledByRestriction 0x15ee7:$a20: get_LastAccessed 0x16581:$a21: get_avatarType 0x17e7a:$a22: get_signaturePresets 0x16b1c:$a23: get_enableLog 0x16390:$a26: set_accountName 0x182a4:$a27: set_InternalServerPort 0x15cd4:$a28: set_bindingConfigurationUID 0x17e40:$a29: set_IdnAddress 0x1855e:$a30: set_GuidMasterKey 0x163eb:$a31: set_username
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x17b65:$s1: get_kbok 0x183f4:$s2: get_CHoo 0x18f85:$s3: set_passwordIsSet 0x17a11:$s4: get_enableLog 0x16eb3:$g1: get_Clipboard 0x16ec1:$g2: get_Keyboard 0x16ece:$g3: get_Password 0x182bf:$g4: get_CtrlKeyDown 0x182cf:$g5: get_ShiftKeyDown 0x182e0:$g6: get_AltKeyDown 0x1469:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x35ea:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1ecc:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x404c:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x12fe:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x347f:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x158a:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x370b:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x18026:$a3: MailAccountConfiguration 0x1803f:$a5: SmtpAccountConfiguration 0x18006:$a8: set_BindingAccountConfiguration 0x17130:$a11: get_securityProfile 0x16fd4:$a12: get_useSeparateFolderTree 0x186d3:$a13: get_DnsResolver 0x173dc:$a14: get_archivingScope 0x17208:$a15: get_providerName 0x19595:$a17: get_priority 0x18c58:$a18: get_advancedParameters 0x18140:$a19: get_disabledByRestriction 0x16ddc:$a20: get_LastAccessed 0x17476:$a21: get_avatarType 0x18d6f:$a22: get_signaturePresets 0x17a11:$a23: get_enableLog 0x17285:$a26: set_accountName 0x19199:$a27: set_InternalServerPort 0x16bc9:$a28: set_bindingConfigurationUID 0x18d35:$a29: set_IdnAddress 0x19453:$a30: set_GuidMasterKey 0x172e0:$a31: set_username
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e5b8:$s1: get_kbok 0x2eefb:$s2: get_CHoo 0x2fb49:$s3: set_passwordIsSet 0x2e3bc:$s4: get_enableLog 0x32a1c:$s8: torbrowser 0x313f8:$s10: logins 0x30d70:$s11: credential 0x2d7e1:$g1: get_Clipboard 0x2d7ef:$g2: get_Keyboard 0x2d7fc:$g3: get_Password 0x2ed9a:$g4: get_CtrlKeyDown 0x2edaa:$g5: get_ShiftKeyDown 0x2edbb:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eafd:$a3: MailAccountConfiguration 0x2eb16:$a5: SmtpAccountConfiguration 0x2eadd:$a8: set_BindingAccountConfiguration 0x2da7c:$a11: get_securityProfile 0x2d91d:$a12: get_useSeparateFolderTree 0x2f24f:$a13: get_DnsResolver 0x2dd2c:$a14: get_archivingScope 0x2db54:$a15: get_providerName 0x3022a:$a17: get_priority 0x2f801:$a18: get_advancedParameters 0x2ec17:$a19: get_disabledByRestriction 0x2d6f6:$a20: get_LastAccessed 0x2ddc6:$a21: get_avatarType 0x2f918:$a22: get_signaturePresets 0x2e3bc:$a23: get_enableLog 0x2dbd1:$a26: set_accountName 0x2fd63:$a27: set_InternalServerPort 0x2d090:$a28: set_bindingConfigurationUID 0x2f8de:$a29: set_IdnAddress 0x300de:$a30: set_GuidMasterKey 0x2dc2c:$a31: set_username
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x331f8:$s10: logins 0x32b70:$s11: credential 0x2f5e1:$g1: get_Clipboard 0x2f5ef:$g2: get_Keyboard 0x2f5fc:$g3: get_Password 0x30b9a:$g4: get_CtrlKeyDown 0x30baa:$g5: get_ShiftKeyDown 0x30bbb:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x2f954:$a15: get_providerName 0x3202a:$a17: get_priority 0x31601:$a18: get_advancedParameters 0x30a17:$a19: get_disabledByRestriction 0x2f4f6:$a20: get_LastAccessed 0x2fbc6:$a21: get_avatarType 0x31718:$a22: get_signaturePresets 0x301bc:$a23: get_enableLog 0x2f9d1:$a26: set_accountName 0x31b63:$a27: set_InternalServerPort 0x2ee90:$a28: set_bindingConfigurationUID 0x316de:$a29: set_IdnAddress 0x31ede:$a30: set_GuidMasterKey 0x2fa2c:$a31: set_username
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e5b8:$s1: get_kbok 0x2eefb:$s2: get_CHoo 0x2fb49:$s3: set_passwordIsSet 0x2e3bc:$s4: get_enableLog 0x32a1c:$s8: torbrowser 0x313f8:$s10: logins 0x30d70:$s11: credential 0x2d7e1:$g1: get_Clipboard 0x2d7ef:$g2: get_Keyboard 0x2d7fc:$g3: get_Password 0x2ed9a:$g4: get_CtrlKeyDown 0x2edaa:$g5: get_ShiftKeyDown 0x2edbb:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eafd:$a3: MailAccountConfiguration 0x2eb16:$a5: SmtpAccountConfiguration 0x2eadd:$a8: set_BindingAccountConfiguration 0x2da7c:$a11: get_securityProfile 0x2d91d:$a12: get_useSeparateFolderTree 0x2f24f:$a13: get_DnsResolver 0x2dd2c:$a14: get_archivingScope 0x2db54:$a15: get_providerName 0x3022a:$a17: get_priority 0x2f801:$a18: get_advancedParameters 0x2ec17:$a19: get_disabledByRestriction 0x2d6f6:$a20: get_LastAccessed 0x2ddc6:$a21: get_avatarType 0x2f918:$a22: get_signaturePresets 0x2e3bc:$a23: get_enableLog 0x2dbd1:$a26: set_accountName 0x2fd63:$a27: set_InternalServerPort 0x2d090:$a28: set_bindingConfigurationUID 0x2f8de:$a29: set_IdnAddress 0x300de:$a30: set_GuidMasterKey 0x2dc2c:$a31: set_username
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x659d8:$s1: get_kbok 0x9adf8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x6631b:$s2: get_CHoo 0x9b73b:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x66f69:$s3: set_passwordIsSet 0x9c389:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x657dc:$s4: get_enableLog 0x9abfc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x69e3c:$s8: torbrowser 0x9f25c:$s8: torbrowser 0x331f8:$s10: logins 0x68818:$s10: logins 0x9dc38:$s10: logins 0x32b70:$s11: credential 0x68190:$s11: credential 0x9d5b0:$s11: credential
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x100b0b:$s1: file:/// 0x100a1b:$s2: {11111-22222-10009-11112} 0x100a9b:$s3: {11111-22222-50001-00000} 0xffc4d:$s4: get_Module 0x2fcb4:$s5: Reverse 0x652d4:$s5: Reverse 0x9a6f4:$s5: Reverse 0xfffc8:$s5: Reverse 0x31f8d:$s6: BlockCopy 0x675ad:$s6: BlockCopy 0x9c9cd:$s6: BlockCopy 0xfb194:$s6: BlockCopy 0x2ff26:$s7: ReadByte 0x65546:$s7: ReadByte 0x9a966:$s7: ReadByte 0x100b1d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x65f1d:$a3: MailAccountConfiguration 0x9b33d:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x65f36:$a5: SmtpAccountConfiguration 0x9b356:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x65efd:$a8: set_BindingAccountConfiguration 0x9b31d:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x64e9c:$a11: get_securityProfile 0x9a2bc:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x64d3d:$a12: get_useSeparateFolderTree 0x9a15d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x6666f:$a13: get_DnsResolver 0x9ba8f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x6514c:$a14: get_archivingScope 0x9a56c:$a14: get_archivingScope
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x657d8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x6611b:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x66d69:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x655dc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x69c3c:$s8: torbrowser 0x331f8:$s10: logins 0x68618:$s10: logins 0x32b70:$s11: credential 0x67f90:$s11: credential 0x2f5e1:$g1: get_Clipboard 0x64a01:$g1: get_Clipboard 0x2f5ef:$g2: get_Keyboard 0x64a0f:$g2: get_Keyboard 0x2f5fc:$g3: get_Password 0x64a1c:$g3: get_Password 0x30b9a:$g4: get_CtrlKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb4eb:$s1: file:/// 0xcb3fb:$s2: {11111-22222-10009-11112} 0xcb47b:$s3: {11111-22222-50001-00000} 0xca62d:$s4: get_Module 0x2fcb4:$s5: Reverse 0x650d4:$s5: Reverse 0xca9a8:$s5: Reverse 0x31f8d:$s6: BlockCopy 0x673ad:$s6: BlockCopy 0xc5b74:$s6: BlockCopy 0x2ff26:$s7: ReadByte 0x65346:$s7: ReadByte 0xcb4fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x65d1d:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x65d36:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x65cfd:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x64c9c:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x64b3d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x6646f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x64f4c:$a14: get_archivingScope 0x2f954:$a15: get_providerName 0x64d74:$a15: get_providerName 0x3202a:$a17: get_priority 0x6744a:$a17: get_priority 0x31601:$a18: get_advancedParameters 0x66a21:$a18: get_advancedParameters 0x30a17:$a19: get_disabledByRestriction
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x8ddd8:$s1: get_kbok 0xc33f8:$s1: get_kbok 0xf8818:$s1: get_kbok 0x8e71b:$s2: get_CHoo 0xc3d3b:$s2: get_CHoo 0xf915b:$s2: get_CHoo 0x8f369:$s3: set_passwordIsSet 0xc4989:$s3: set_passwordIsSet 0xf9da9:$s3: set_passwordIsSet 0x8dbdc:$s4: get_enableLog 0xc31fc:$s4: get_enableLog 0xf861c:$s4: get_enableLog 0x9223c:$s8: torbrowser 0xc785c:$s8: torbrowser 0xfcc7c:$s8: torbrowser 0x90c18:$s10: logins 0xc6238:$s10: logins 0xfb658:$s10: logins 0x90590:$s11: credential 0xc5bb0:$s11: credential 0xfafd0:$s11: credential
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x15e52b:$s1: file:/// 0x15e43b:$s2: {11111-22222-10009-11112} 0x15e4bb:$s3: {11111-22222-50001-00000} 0x15d66d:$s4: get_Module 0x8d6d4:$s5: Reverse 0xc2cf4:$s5: Reverse 0xf8114:$s5: Reverse 0x15d9e8:$s5: Reverse 0x8f9ad:$s6: BlockCopy 0xc4fcd:$s6: BlockCopy 0xfa3ed:$s6: BlockCopy 0x158bb4:$s6: BlockCopy 0x8d946:$s7: ReadByte 0xc2f66:$s7: ReadByte 0xf8386:$s7: ReadByte 0x15e53d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8e31d:$a3: MailAccountConfiguration 0xc393d:$a3: MailAccountConfiguration 0xf8d5d:$a3: MailAccountConfiguration 0x8e336:$a5: SmtpAccountConfiguration 0xc3956:$a5: SmtpAccountConfiguration 0xf8d76:$a5: SmtpAccountConfiguration 0x8e2fd:$a8: set_BindingAccountConfiguration 0xc391d:$a8: set_BindingAccountConfiguration 0xf8d3d:$a8: set_BindingAccountConfiguration 0x8d29c:$a11: get_securityProfile 0xc28bc:$a11: get_securityProfile 0xf7cdc:$a11: get_securityProfile 0x8d13d:$a12: get_useSeparateFolderTree 0xc275d:$a12: get_useSeparateFolderTree 0xf7b7d:$a12: get_useSeparateFolderTree 0x8ea6f:$a13: get_DnsResolver 0xc408f:$a13: get_DnsResolver 0xf94af:$a13: get_DnsResolver 0x8d54c:$a14: get_archivingScope 0xc2b6c:$a14: get_archivingScope 0xf7f8c:$a14: get_archivingScope
Click to see the 26 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	ReversingLabs: Detection: 24%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Virustotal: Detection: 30%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Avira: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://PcwsIt.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com_
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiva
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comue9
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/aCo
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs

Large array initialization: .cctor: array initializer size 11778

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7C1F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7E640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7E650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F38B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F38C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_072B001A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_072B0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C2C848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C22618
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C21FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C2F5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C29DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4CB00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C49470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C44C0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C43550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4A8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4E0E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C40040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C40BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F94E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F9B0E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F96580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E46A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E45B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E4672
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E4690

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000000.241444260.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.300732780.0000000007100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.506084189.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.284033383.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Binary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	ReversingLabs: Detection: 24%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Virustotal: Detection: 30%

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.511302808.0000000002B11000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F0015 push eax; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C27A37 push edi; retn 0000h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4DA58 pushfd ; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C47DC9 push 8BFFFFFFh; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F90434 push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F9A651 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F90DD0 push 3C00F8CBh; retf

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: 0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.59561068934023

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 2888	Thread sleep time: -38122s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3092	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3372	Thread sleep count: 9862 > 30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Window / User API: threadDelayed 9862

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 38122
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Code function: 1_2_00C4C8C0 LdrInitializeThunk,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	114 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	31%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	100%	Avira	HEUR/AGEN.1249296
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack	100%	Avira	HEUR/AGEN.1249296		Download File
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com_	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/aCo	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comrsiva	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comue9	0%	URL Reputation	safe
http://PcwsIt.com	0%	Virustotal		Browse
http://PcwsIt.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNS	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/aCo	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com_	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsiva	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://PcwsIt.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comue9	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756189
Start date and time:	2022-11-29 19:34:38 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:35:47	API Interceptor	570x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.590447173134643
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
File size:	836608
MD5:	f976242274e3a8b6859f43212321e5cd
SHA1:	4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:	49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
SHA512:	de657d8cb7ee401139a414964c333053bc6570e1d29b4125cdc440dc61637b0597ee4c1bb0eafd5a8855727bc6089430e3b80c457c6c5a19ce1ef2f769957b80
SSDEEP:	12288:oOvpYqjMN+3gYffB411R77TeB3EqcDFRLJtXsxFXynzw5tkD3twn:3Yqy+t8N7qNEtFRLJtXsxkc5aD9
TLSH:	70053A2297B1C906F93389ED62EC5A114DA821C148B4C949CC573DC15E78E6BF4FCAFA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cda92
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcda40	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcda24	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcba98	0xcbc00	False	0.7869320360429448	data	7.59561068934023	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x370	0x400	False	0.3662109375	data	2.781211359728944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xce058	0x314	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	19:35:34
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Imagebase:	0x510000
File size:	836608 bytes
MD5 hash:	F976242274E3A8B6859F43212321E5CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exePID: 4520, Parent PID: 3916

General

Target ID:	1
Start time:	19:35:54
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Imagebase:	0x610000
File size:	836608 bytes
MD5 hash:	F976242274E3A8B6859F43212321E5CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exePID: 3916, Parent PID: 3320

General

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exePID: 4520, Parent PID: 3916

General

Disassembly

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe