Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4dxXH2RAM2.exe

Overview

General Information

Sample Name:4dxXH2RAM2.exe
Analysis ID:785291
MD5:a7d382e47c695655163eec2dfc56d3b3
SHA1:940ba2c6bc2868335cf67867c6dac7185dfeddad
SHA256:70b72b719f860728633cfaf7f6855195b9a3f4f4a7e4d86fdc0ac12d05c4eb28
Tags:32exetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 4dxXH2RAM2.exe (PID: 4224 cmdline: C:\Users\user\Desktop\4dxXH2RAM2.exe MD5: A7D382E47C695655163EEC2DFC56D3B3)
    • 4dxXH2RAM2.exe (PID: 5912 cmdline: C:\Users\user\Desktop\4dxXH2RAM2.exe MD5: A7D382E47C695655163EEC2DFC56D3B3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: 4dxXH2RAM2.exe PID: 4224JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: 4dxXH2RAM2.exe PID: 5912JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 4dxXH2RAM2.exeReversingLabs: Detection: 23%
            Source: 4dxXH2RAM2.exeVirustotal: Detection: 28%Perma Link
            Machine Learning detection for sample
            Source: 4dxXH2RAM2.exeJoe Sandbox ML: detected
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 4dxXH2RAM2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49698 version: TLS 1.2
            Source: 4dxXH2RAM2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.2.3:49699 -> 185.118.171.10:587
            Source: global trafficTCP traffic: 192.168.2.3:49699 -> 185.118.171.10:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000001.00000002.517824176.0000000006F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: 4dxXH2RAM2.exe, 00000001.00000002.517824176.0000000006F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000001.00000002.517824176.0000000006F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: 4dxXH2RAM2.exe, 00000000.00000003.246595069.00000000062D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.panservis.rs
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000001.00000002.517824176.0000000006F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panservis.rs
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247159965.00000000062D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247064787.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247109626.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comnt(
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: 4dxXH2RAM2.exe, 00000000.00000003.248697595.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248803184.00000000062D9000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248725077.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248757122.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248777373.00000000062D5000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248829465.00000000062D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: 4dxXH2RAM2.exe, 00000000.00000003.249512007.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249689074.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249717787.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249533775.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249621602.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249469237.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249438095.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249216232.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249490558.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249188867.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: 4dxXH2RAM2.exe, 00000000.00000003.249216232.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249188867.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249278621.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249240990.00000000062D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: 4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: 4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comg
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: 4dxXH2RAM2.exe, 00000000.00000003.246436662.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246595069.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246459109.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: 4dxXH2RAM2.exe, 00000000.00000003.246436662.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246459109.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn?T
            Source: 4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: 4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnM
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.251375870.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247993160.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247878901.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itcfonts.
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247313635.00000000062A3000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247313635.00000000062A3000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: 4dxXH2RAM2.exe, 00000000.00000003.251507822.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.251443929.00000000062D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: 4dxXH2RAM2.exe, 00000000.00000003.253118949.00000000062D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.ZGR
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247838434.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com-tiW
            Source: 4dxXH2RAM2.exe, 00000000.00000003.247838434.00000000062D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comrm9W
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246729518.00000000062D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: 4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49698 version: TLS 1.2
            Source: 4dxXH2RAM2.exe, 00000000.00000002.260341307.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: 4dxXH2RAM2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_031CC1D40_2_031CC1D4
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_031CE6180_2_031CE618
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_031CE6080_2_031CE608
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_057D4EB80_2_057D4EB8
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_07B700130_2_07B70013
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_07B700400_2_07B70040
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_033AC9981_2_033AC998
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_033AA9D81_2_033AA9D8
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_033A9DC01_2_033A9DC0
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_033AA1081_2_033AA108
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_072862601_2_07286260
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_072852901_2_07285290
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_072819601_2_07281960
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_072800401_2_07280040
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_072888201_2_07288820
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0754DF281_2_0754DF28
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0754F4901_2_0754F490
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_07549B701_2_07549B70
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_078647B21_2_078647B2
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_078647E01_2_078647E0
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_07864E781_2_07864E78
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0786B5E81_2_0786B5E8
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_078600401_2_07860040
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_078647D01_2_078647D0
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0786CB301_2_0786CB30
            Source: 4dxXH2RAM2.exe, 00000000.00000002.263762208.00000000043F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.260341307.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.272658638.0000000007A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTigra.dll. vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000002.263762208.0000000004658000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000000.00000000.243684120.0000000000F84000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePqyJB.exe6 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000001.00000002.509591193.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exe, 00000001.00000002.509890918.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exeBinary or memory string: OriginalFilenamePqyJB.exe6 vs 4dxXH2RAM2.exe
            Source: 4dxXH2RAM2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 4dxXH2RAM2.exeReversingLabs: Detection: 23%
            Source: 4dxXH2RAM2.exeVirustotal: Detection: 28%
            Source: 4dxXH2RAM2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\4dxXH2RAM2.exe C:\Users\user\Desktop\4dxXH2RAM2.exe
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess created: C:\Users\user\Desktop\4dxXH2RAM2.exe C:\Users\user\Desktop\4dxXH2RAM2.exe
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess created: C:\Users\user\Desktop\4dxXH2RAM2.exe C:\Users\user\Desktop\4dxXH2RAM2.exeJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4dxXH2RAM2.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/2
            Source: 4dxXH2RAM2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, a/aN1.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, a/am2.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/P1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.4dxXH2RAM2.exe.400000.0.unpack, A/P1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: 4dxXH2RAM2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 4dxXH2RAM2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: 4dxXH2RAM2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 4dxXH2RAM2.exe, ProjectAI_Game8Puzzle_BFS/Home.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.4dxXH2RAM2.exe.ea0000.0.unpack, ProjectAI_Game8Puzzle_BFS/Home.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 0_2_07B73210 push edx; iretd 0_2_07B73213
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0728A80A push 44072690h; ret 1_2_0728A815
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_0754F481 push 4C076956h; iretd 1_2_0754F48D
            Source: 4dxXH2RAM2.exeStatic PE information: 0x86893F57 [Thu Jul 11 07:46:31 2041 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.635282322125391
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4dxXH2RAM2.exe PID: 4224, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 3520Thread sleep time: -37665s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5672Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 4392Thread sleep count: 2819 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99873s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99647s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99398s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99243s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -99015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -98906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -98782s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exe TID: 5308Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWindow / User API: threadDelayed 2819Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 37665Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99873Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99765Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99647Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99516Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99398Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99243Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99125Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 99015Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 98906Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 98782Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: 4dxXH2RAM2.exe, 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeProcess created: C:\Users\user\Desktop\4dxXH2RAM2.exe C:\Users\user\Desktop\4dxXH2RAM2.exeJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Users\user\Desktop\4dxXH2RAM2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Users\user\Desktop\4dxXH2RAM2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeCode function: 1_2_033AF6F0 GetUserNameW,1_2_033AF6F0

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4dxXH2RAM2.exe PID: 5912, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\4dxXH2RAM2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4dxXH2RAM2.exe PID: 5912, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4dxXH2RAM2.exe PID: 5912, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception11
            Process Injection            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            Account Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Deobfuscate/Decode Files or Information            		1
            Input Capture            		114
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
            Software Packing            		NTDS211
            Security Software Discovery            		Distributed Component Object Model1
            Input Capture            		Scheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets131
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size Limits23
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSync1
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
            Process Injection            		Proc Filesystem1
            Remote System Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            4dxXH2RAM2.exe23%ReversingLabsWin32.Trojan.Pwsx
            4dxXH2RAM2.exe29%VirustotalBrowse
            4dxXH2RAM2.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.4dxXH2RAM2.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

            Domains

            SourceDetectionScannerLabelLink
            panservis.rs0%VirustotalBrowse
            mail.panservis.rs0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnM0%URL Reputationsafe
            http://www.founder.com.cn/cnM0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/F0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.founder.com.cn/cnD0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/=0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/n-u0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.itcfonts.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://en.wikip0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.sakkal.comrm9W0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.fontbureau.comg0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.carterandcone.comnt(0%Avira URL Cloudsafe
            http://www.sakkal.com-tiW0%Avira URL Cloudsafe
            http://panservis.rs0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn?T0%Avira URL Cloudsafe
            http://mail.panservis.rs0%Avira URL Cloudsafe
            http://www.monotype.ZGR0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            panservis.rs
            		185.118.171.10
            		truefalseunknown
            api4.ipify.org
            		64.185.227.155
            		truefalse
              		high
              api.ipify.org
              		unknown
              		unknownfalse
                		high
                mail.panservis.rs
                		unknown
                		unknownfalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.ipify.org/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersG4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThe4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnM4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/F4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comrm9W4dxXH2RAM2.exe, 00000000.00000003.247838434.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246729518.00000000062D3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.kr4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.com4dxXH2RAM2.exe, 00000000.00000003.247159965.00000000062D0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnD4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/=4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netD4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cThe4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htm4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.251375870.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/74dxXH2RAM2.exe, 00000000.00000003.247313635.00000000062A3000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://fontfabrik.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/44dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.com-tiW4dxXH2RAM2.exe, 00000000.00000003.247838434.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/n-u4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comnt(4dxXH2RAM2.exe, 00000000.00000003.247064787.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247109626.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.galapagosdesign.com/DPlease4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y04dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.itcfonts.4dxXH2RAM2.exe, 00000000.00000003.247993160.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247878901.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/%4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.kr4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPlease4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cn4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://panservis.rs4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.04dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://sectigo.com/CPS04dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://mail.panservis.rs4dxXH2RAM2.exe, 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cn?T4dxXH2RAM2.exe, 00000000.00000003.246436662.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246459109.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlX4dxXH2RAM2.exe, 00000000.00000003.249216232.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249188867.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249278621.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249240990.00000000062D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/F4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247494706.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.coma4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://en.wikip4dxXH2RAM2.exe, 00000000.00000003.246595069.00000000062D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/=4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.coml4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlN4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn4dxXH2RAM2.exe, 00000000.00000003.246436662.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246595069.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246612395.00000000062B1000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.246459109.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/x4dxXH2RAM2.exe, 00000000.00000003.247313635.00000000062A3000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247370428.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.html4dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249469237.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249438095.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249216232.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249490558.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249188867.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comg4dxXH2RAM2.exe, 00000000.00000003.259623355.00000000062A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.html4dxXH2RAM2.exe, 00000000.00000003.249512007.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249689074.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249717787.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249533775.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.249621602.00000000062D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/q4dxXH2RAM2.exe, 00000000.00000003.247588834.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.monotype.4dxXH2RAM2.exe, 00000000.00000003.251507822.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.251443929.00000000062D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/o4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/4dxXH2RAM2.exe, 00000000.00000003.247394202.00000000062AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers84dxXH2RAM2.exe, 00000000.00000002.270318461.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.monotype.ZGR4dxXH2RAM2.exe, 00000000.00000003.253118949.00000000062D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/4dxXH2RAM2.exe, 00000000.00000003.248697595.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248803184.00000000062D9000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248725077.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248757122.00000000062D2000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248777373.00000000062D5000.00000004.00000020.00020000.00000000.sdmp, 4dxXH2RAM2.exe, 00000000.00000003.248829465.00000000062D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.118.171.10
                                                		panservis.rsSerbia
                                                		203877ASTRATELEKOMRSfalse
                                                64.185.227.155
                                                		api4.ipify.orgUnited States
                                                		18450WEBNXUSfalse

                                                General Information

                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                Analysis ID:785291
                                                Start date and time:2023-01-16 18:52:11 +01:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 10s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:4dxXH2RAM2.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:13
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/1@4/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 45
                                                • Number of non-executed functions: 5
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:53:08API Interceptor12x Sleep call for process: 4dxXH2RAM2.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                185.118.171.10file.exeGet hashmaliciousBrowse
                                                  64.185.227.15548PTRR4pVY.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/?format=qwd

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  api4.ipify.orgDHL AWB_File ORDER 8383.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB811470484178.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SWIFT.xlsGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  IAENMAIL-A4-220520-0830-0002708.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Certification.xlsGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  01509536442023 .xlsGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB8114704884778.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Delivery Doc #8318869311.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  bC4HtNxKE9.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  #U266a Download to Listen VoiceMail.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Doc-0710236-pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  FedEx Receipt_AWB# 1022355160763.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Outstanding invoices 2023.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Heur3.CTR.2003f@m0@aekw7Vi.9027.16524.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.5355.19493.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Win32.TrojanX-gen.441.25873.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.10823.17865.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.12081.15683.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  https://markedwardsaccessories.sharefile.com/share/view/s74159c4314434c74bdd8107fc7d557efGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.W32.MSIL_Kryptik.GHM.gen.Eldorado.18546.28521.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  ASTRATELEKOMRSfile.exeGet hashmaliciousBrowse
                                                  • 185.118.171.10
                                                  eyjlIAxLom.elfGet hashmaliciousBrowse
                                                  • 109.94.117.186
                                                  z8QWD02El3.elfGet hashmaliciousBrowse
                                                  • 85.202.112.208
                                                  apep.x86Get hashmaliciousBrowse
                                                  • 109.94.117.187
                                                  mkRkjGXjDJGet hashmaliciousBrowse
                                                  • 62.241.1.210
                                                  dark.arm6Get hashmaliciousBrowse
                                                  • 62.240.15.200
                                                  WEBNXUSDHL AWB_File ORDER 8383.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB811470484178.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SWIFT.xlsGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  IAENMAIL-A4-220520-0830-0002708.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Certification.xlsGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB8114704884778.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Delivery Doc #8318869311.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  bC4HtNxKE9.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  #U266a Download to Listen VoiceMail.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Doc-0710236-pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  FedEx Receipt_AWB# 1022355160763.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Pago.jpg.imgGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Outstanding invoices 2023.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Heur3.CTR.2003f@m0@aekw7Vi.9027.16524.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.5355.19493.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Win32.TrojanX-gen.441.25873.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.10823.17865.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.12081.15683.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  https://markedwardsaccessories.sharefile.com/share/view/s74159c4314434c74bdd8107fc7d557efGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.W32.MSIL_Kryptik.GHM.gen.Eldorado.18546.28521.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0ehttps://bit.ly/3GDpihTGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  ws.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  mp.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL AWB_File ORDER 8383.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB811470484178.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  ATT52054.htmGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  IAENMAIL-A4-220520-0830-0002708.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Dogecoin-Miner2022.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  file.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  OVERDUE_DHL_INVOICE_NOTICE_JANUARY_2023_PDF.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Receipt_AWB8114704884778.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  DHL Delivery Doc #8318869311.pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  PAYMENTN.EXE.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  bC4HtNxKE9.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  #U266a Download to Listen VoiceMail.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Doc-0710236-pdf.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  FedEx Receipt_AWB# 1022355160763.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  Outstanding invoices 2023.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Heur3.CTR.2003f@m0@aekw7Vi.9027.16524.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155
                                                  SecuriteInfo.com.Trojan.Olock.1.5355.19493.exeGet hashmaliciousBrowse
                                                  • 64.185.227.155

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4dxXH2RAM2.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.630485301910821
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:4dxXH2RAM2.exe
                                                  File size:922624
                                                  MD5:a7d382e47c695655163eec2dfc56d3b3
                                                  SHA1:940ba2c6bc2868335cf67867c6dac7185dfeddad
                                                  SHA256:70b72b719f860728633cfaf7f6855195b9a3f4f4a7e4d86fdc0ac12d05c4eb28
                                                  SHA512:9fa14a8217dede5ce7b0f753b8e8f41b74e943bdf4d687c650ff03eac7fcdf7f1027414d9800eb2cf1bc403e326b9b0b9def13748de1be2495dacfa9b6f8959a
                                                  SSDEEP:24576:tmLepD6b3ewHdqolHQEVq4/0Q6t3IplOiiPD:tmLNb/xL/0Q6lmOiiPD
                                                  TLSH:9715ADD116ADC7E5E4F60E380628391467A99897837DA17EBEC314BF84F674F40783A2
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W?................0..............*... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4e2aa2
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x86893F57 [Thu Jul 11 07:46:31 2041 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe2a500x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x370.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xe2a340x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xe0aa80xe0c00False0.7995005301028921data7.635282322125391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xe40000x3700x400False0.3662109375data2.8171265223585418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xe60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xe40580x314data

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2023 18:53:12.112485886 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:12.112539053 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:12.112627029 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:12.140247107 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:12.140297890 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.457567930 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.457648993 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:13.461361885 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:13.461379051 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.461710930 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.509365082 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:13.738290071 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:13.738363028 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.962997913 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.963093996 CET4434969864.185.227.155192.168.2.3
                                                  Jan 16, 2023 18:53:13.963598967 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:13.966532946 CET49698443192.168.2.364.185.227.155
                                                  Jan 16, 2023 18:53:23.232012987 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.267641068 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.267867088 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.435436010 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.444004059 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.479717016 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.480205059 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.518991947 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.520113945 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.564292908 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.564325094 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.564440966 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.564456940 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.564500093 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.564572096 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.566891909 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.652317047 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.688266993 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.702761889 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.739049911 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.749473095 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.790812969 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.791433096 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.849467993 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.860187054 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.896023035 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:23.896431923 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:23.977827072 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.191487074 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.209068060 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:24.245776892 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.245805025 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.247345924 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:24.247428894 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:24.247478962 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:24.247520924 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:53:24.283849001 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.283900976 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.283935070 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.283967972 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.339870930 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:53:24.385346889 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:55:03.175880909 CET49699587192.168.2.3185.118.171.10
                                                  Jan 16, 2023 18:55:03.254981995 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:55:03.463963032 CET58749699185.118.171.10192.168.2.3
                                                  Jan 16, 2023 18:55:03.473552942 CET49699587192.168.2.3185.118.171.10

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2023 18:53:12.052637100 CET6270453192.168.2.38.8.8.8
                                                  Jan 16, 2023 18:53:12.071893930 CET53627048.8.8.8192.168.2.3
                                                  Jan 16, 2023 18:53:12.081053019 CET4997753192.168.2.38.8.8.8
                                                  Jan 16, 2023 18:53:12.100291967 CET53499778.8.8.8192.168.2.3
                                                  Jan 16, 2023 18:53:23.104026079 CET5784053192.168.2.38.8.8.8
                                                  Jan 16, 2023 18:53:23.185409069 CET53578408.8.8.8192.168.2.3
                                                  Jan 16, 2023 18:53:23.189105034 CET5799053192.168.2.38.8.8.8
                                                  Jan 16, 2023 18:53:23.206561089 CET53579908.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 16, 2023 18:53:12.052637100 CET192.168.2.38.8.8.80x175bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.081053019 CET192.168.2.38.8.8.80xda23Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.104026079 CET192.168.2.38.8.8.80xcc65Standard query (0)mail.panservis.rsA (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.189105034 CET192.168.2.38.8.8.80x160fStandard query (0)mail.panservis.rsA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 16, 2023 18:53:12.071893930 CET8.8.8.8192.168.2.30x175bNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.071893930 CET8.8.8.8192.168.2.30x175bNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.071893930 CET8.8.8.8192.168.2.30x175bNo error (0)api4.ipify.org173.231.16.75A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.071893930 CET8.8.8.8192.168.2.30x175bNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.100291967 CET8.8.8.8192.168.2.30xda23No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.100291967 CET8.8.8.8192.168.2.30xda23No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.100291967 CET8.8.8.8192.168.2.30xda23No error (0)api4.ipify.org173.231.16.75A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:12.100291967 CET8.8.8.8192.168.2.30xda23No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.185409069 CET8.8.8.8192.168.2.30xcc65No error (0)mail.panservis.rspanservis.rsCNAME (Canonical name)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.185409069 CET8.8.8.8192.168.2.30xcc65No error (0)panservis.rs185.118.171.10A (IP address)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.206561089 CET8.8.8.8192.168.2.30x160fNo error (0)mail.panservis.rspanservis.rsCNAME (Canonical name)IN (0x0001)false
                                                  Jan 16, 2023 18:53:23.206561089 CET8.8.8.8192.168.2.30x160fNo error (0)panservis.rs185.118.171.10A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.ipify.org

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.34969864.185.227.155443C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2023-01-16 17:53:13 UTC0OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                  Host: api.ipify.org
                                                  Connection: Keep-Alive
                                                  2023-01-16 17:53:13 UTC0INHTTP/1.1 200 OK
                                                  Access-Control-Allow-Credentials: true
                                                  Access-Control-Allow-Origin: *
                                                  Content-Length: 11
                                                  Content-Type: text/plain
                                                  Date: Mon, 16 Jan 2023 17:53:13 GMT
                                                  Vary: Origin
                                                  Connection: close
                                                  2023-01-16 17:53:13 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 34 37
                                                  Data Ascii: 84.17.52.47


                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Jan 16, 2023 18:53:23.435436010 CET58749699185.118.171.10192.168.2.3220-cp1.astratelekom.com ESMTP Exim 4.95 #2 Mon, 16 Jan 2023 18:53:23 +0100
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Jan 16, 2023 18:53:23.444004059 CET49699587192.168.2.3185.118.171.10EHLO 051829
                                                  Jan 16, 2023 18:53:23.479717016 CET58749699185.118.171.10192.168.2.3250-cp1.astratelekom.com Hello 051829 [84.17.52.47]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Jan 16, 2023 18:53:23.480205059 CET49699587192.168.2.3185.118.171.10STARTTLS
                                                  Jan 16, 2023 18:53:23.518991947 CET58749699185.118.171.10192.168.2.3220 TLS go ahead

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:18:53:02
                                                  Start date:16/01/2023
                                                  Path:C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  Imagebase:0xea0000
                                                  File size:922624 bytes
                                                  MD5 hash:A7D382E47C695655163EEC2DFC56D3B3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261793489.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:1
                                                  Start time:18:53:09
                                                  Start date:16/01/2023
                                                  Path:C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\4dxXH2RAM2.exe
                                                  Imagebase:0xfc0000
                                                  File size:922624 bytes
                                                  MD5 hash:A7D382E47C695655163EEC2DFC56D3B3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.514036924.00000000034EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  Reset < >