Edit tour

Windows Analysis Report
USD 46947,6 20230101162552.exe

Overview

General Information

Sample Name:	USD 46947,6 20230101162552.exe
Analysis ID:	797813
MD5:	680ab6d7a8d07efd8fc74020138b3d9e
SHA1:	fba2cd2d06e466cd1f89901a47dc1a89c018181a
SHA256:	f5c390ae7deb67f68f921833cc2efef8d6b5c24206fdecfd8b72225f663c375c
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

USD 46947,6 20230101162552.exe (PID: 5456 cmdline: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe MD5: 680AB6D7A8D07EFD8FC74020138B3D9E)

USD 46947,6 20230101162552.exe (PID: 5584 cmdline: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe MD5: 680AB6D7A8D07EFD8FC74020138B3D9E)

USD 46947,6 20230101162552.exe (PID: 5984 cmdline: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe MD5: 680AB6D7A8D07EFD8FC74020138B3D9E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: USD 46947,6 20230101162552.exe PID: 5456	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: USD 46947,6 20230101162552.exe PID: 5984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: USD 46947,6 20230101162552.exe PID: 5984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.USD 46947,6 20230101162552.exe.2813f78.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.USD 46947,6 20230101162552.exe.2813f78.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd3e2:$v1: SbieDll.dll 0xd3fc:$v2: USER 0xd408:$v3: SANDBOX 0xd41a:$v4: VIRUS 0xd46a:$v4: VIRUS 0xd428:$v5: MALWARE 0xd43a:$v6: SCHMIDTI 0xd44e:$v7: CURRENTUSER
0.2.USD 46947,6 20230101162552.exe.27f02cc.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.USD 46947,6 20230101162552.exe.27f02cc.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x3108e:$v1: SbieDll.dll 0x310a8:$v2: USER 0x310b4:$v3: SANDBOX 0x310c6:$v4: VIRUS 0x31116:$v4: VIRUS 0x310d4:$v5: MALWARE 0x310e6:$v6: SCHMIDTI 0x310fa:$v7: CURRENTUSER

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: USD 46947,6 20230101162552.exe

ReversingLabs: Detection: 58%

Machine Learning detection for sample

Source: USD 46947,6 20230101162552.exe

Joe Sandbox ML: detected

Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: USD 46947,6 20230101162552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: USD 46947,6 20230101162552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View

IP Address: 104.237.62.211 104.237.62.211

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 185.118.171.10:587

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 185.118.171.10:587

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.00000000016C5000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006AD0000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006B22000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.panservis.rs
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006AD0000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006B22000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.00000000016C5000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://panservis.rs
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006B22000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: USD 46947,6 20230101162552.exe, 00000000.00000002.263241249.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.USD 46947,6 20230101162552.exe.2813f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.USD 46947,6 20230101162552.exe.27f02cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen

Source: USD 46947,6 20230101162552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.USD 46947,6 20230101162552.exe.2813f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.USD 46947,6 20230101162552.exe.27f02cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 0_2_00A7C5CC	0_2_00A7C5CC
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 0_2_00A7E562	0_2_00A7E562
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 0_2_00A7E570	0_2_00A7E570
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_0307C998	2_2_0307C998
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_0307A9D8	2_2_0307A9D8
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_03079DC0	2_2_03079DC0
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_0307A108	2_2_0307A108
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F15290	2_2_06F15290
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F16260	2_2_06F16260
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F10040	2_2_06F10040
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F18C20	2_2_06F18C20
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F11960	2_2_06F11960
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_06F1B7F1	2_2_06F1B7F1
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_071CEEB0	2_2_071CEEB0
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_071CCF60	2_2_071CCF60
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Code function: 2_2_071CF61F	2_2_071CF61F

Source: USD 46947,6 20230101162552.exe, 00000000.00000002.266156675.000000000383B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.273182422.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.266156675.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.266156675.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000000.244147174.0000000000222000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXdgz.exeB vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.263241249.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.509784570.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe, 00000002.00000002.510092558.0000000001338000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs USD 46947,6 20230101162552.exe
Source: USD 46947,6 20230101162552.exe	Binary or memory string: OriginalFilenameXdgz.exeB vs USD 46947,6 20230101162552.exe

Source: USD 46947,6 20230101162552.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: USD 46947,6 20230101162552.exe

ReversingLabs: Detection: 58%

Source: USD 46947,6 20230101162552.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USD 46947,6 20230101162552.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@4/3

Source: USD 46947,6 20230101162552.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, a/aN1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, a/am2.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, a/ag2.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, a/ak2.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.USD 46947,6 20230101162552.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: USD 46947,6 20230101162552.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: USD 46947,6 20230101162552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Code function: 2_2_06F1A8C0 push es; ret

2_2_06F1A8D0

Source: initial sample

Static PE information: section name: .text entropy: 7.655544537096623

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.USD 46947,6 20230101162552.exe.2813f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 46947,6 20230101162552.exe.27f02cc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: USD 46947,6 20230101162552.exe PID: 5456, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 5484	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 5512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 4772	Thread sleep count: 3962 > 30	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99534s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99415s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -99121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98633s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98508s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -98279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe TID: 488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Window / User API: threadDelayed 3962

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99649	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99534	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99415	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99265	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 99121	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98889	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98633	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98508	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 98279	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: USD 46947,6 20230101162552.exe, 00000002.00000003.277631305.0000000001691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: USD 46947,6 20230101162552.exe, 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe			Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Process created: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe C:\Users\user\Desktop\USD 46947,6 20230101162552.exe			Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Code function: 2_2_0307F164 GetUserNameW,

2_2_0307F164

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: USD 46947,6 20230101162552.exe PID: 5984, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\USD 46947,6 20230101162552.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: USD 46947,6 20230101162552.exe PID: 5984, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: USD 46947,6 20230101162552.exe PID: 5984, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	1 Input Capture	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
USD 46947,6 20230101162552.exe	59%	ReversingLabs	Win32.Trojan.Leonem
USD 46947,6 20230101162552.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.USD 46947,6 20230101162552.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://panservis.rs	0%	Avira URL Cloud	safe
http://mail.panservis.rs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
panservis.rs	185.118.171.10	true	false	unknown
api4.ipify.org	104.237.62.211	true	false	high
api.ipify.org	unknown	unknown	false	high
mail.panservis.rs	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	USD 46947,6 20230101162552.exe, 00000002.00000002.510599694.0000000001666000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.516528893.0000000006B22000.00000004.00000020.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.panservis.rs	USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fontfabrik.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	USD 46947,6 20230101162552.exe, 00000000.00000002.270846018.0000000006742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://panservis.rs	USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, USD 46947,6 20230101162552.exe, 00000002.00000002.511341333.000000000326F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.237.62.211	api4.ipify.org	United States		18450	WEBNXUS	false
185.118.171.10	panservis.rs	Serbia		203877	ASTRATELEKOMRS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	797813
Start date and time:	2023-02-03 12:52:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	USD 46947,6 20230101162552.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@4/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: USD 46947,6 20230101162552.exe

Simulations

Behavior and APIs

Time	Type	Description
12:53:09	API Interceptor	16x Sleep call for process: USD 46947,6 20230101162552.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.237.62.211	SecuriteInfo.com.Win32.PWSX-gen.23219.24986.exe	Get hash	malicious	Browse
	DOC.exe	Get hash	malicious	Browse
	shipment airway_PDF.exe	Get hash	malicious	Browse
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse
	sample_2.doc	Get hash	malicious	Browse
	#INV0903294.html	Get hash	malicious	Browse
	#U266a Download to Listen VoiceT.MK.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	ConfirmingPagadas.vbs	Get hash	malicious	Browse
	mK3GcTbjFV.exe	Get hash	malicious	Browse
	loader.exe	Get hash	malicious	Browse
	Ordine cliente27T182149.764.exe	Get hash	malicious	Browse
	ConfirmingPagadas.vbs	Get hash	malicious	Browse
	E2C31090339C37FAF04CE2489EA35E9E22844B5AEF1A0.exe	Get hash	malicious	Browse
	Purchase order 3812_xls_.exe.exe	Get hash	malicious	Browse
	Purchase order 3812_xls_.exe.exe	Get hash	malicious	Browse
	Final Payment 7news.shtml	Get hash	malicious	Browse
	start.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api4.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.23219.24986.exe	Get hash	malicious	Browse	64.185.227.155
	e-dekont-20230127.exe	Get hash	malicious	Browse	173.231.16.76
	PO-1012023.exe	Get hash	malicious	Browse	64.185.227.155
	Invoice.bat	Get hash	malicious	Browse	173.231.16.76
	NEW PO.exe	Get hash	malicious	Browse	173.231.16.76
	DOC.exe	Get hash	malicious	Browse	104.237.62.211
	1835DIR231029551-CRE001.exe	Get hash	malicious	Browse	173.231.16.76
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	173.231.16.76
	shipment airway_PDF.exe	Get hash	malicious	Browse	64.185.227.155
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	104.237.62.211
	Turkish Armed Forces.doc	Get hash	malicious	Browse	64.185.227.155
	sample_2.doc	Get hash	malicious	Browse	104.237.62.211
	#INV0903294.html	Get hash	malicious	Browse	104.237.62.211
	#U266a Download to Listen VoiceT.MK.exe	Get hash	malicious	Browse	104.237.62.211
	NEW ORDER.exe	Get hash	malicious	Browse	64.185.227.155
	SOA.exe	Get hash	malicious	Browse	173.231.16.76
	#U03c4#U03b1#U03c7#U03b5#U03af#U03b1 #U03b1#U03bd#U03c4#U03b9#U03b3#U03c1#U03b1#U03c6#U03ae.exe	Get hash	malicious	Browse	64.185.227.155
	CV.exe	Get hash	malicious	Browse	173.231.16.76
	e-dekont-20230202.exe	Get hash	malicious	Browse	173.231.16.76
	SOA.exe	Get hash	malicious	Browse	64.185.227.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WEBNXUS	SecuriteInfo.com.Win32.PWSX-gen.23219.24986.exe	Get hash	malicious	Browse	64.185.227.155
	e-dekont-20230127.exe	Get hash	malicious	Browse	173.231.16.76
	PO-1012023.exe	Get hash	malicious	Browse	64.185.227.155
	NEW PO.exe	Get hash	malicious	Browse	173.231.16.76
	DOC.exe	Get hash	malicious	Browse	104.237.62.211
	1835DIR231029551-CRE001.exe	Get hash	malicious	Browse	173.231.16.76
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	173.231.16.76
	shipment airway_PDF.exe	Get hash	malicious	Browse	64.185.227.155
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	104.237.62.211
	Turkish Armed Forces.doc	Get hash	malicious	Browse	64.185.227.155
	sample_2.doc	Get hash	malicious	Browse	64.185.227.155
	#INV0903294.html	Get hash	malicious	Browse	104.237.62.211
	#U266a Download to Listen VoiceT.MK.exe	Get hash	malicious	Browse	104.237.62.211
	NEW ORDER.exe	Get hash	malicious	Browse	64.185.227.155
	SOA.exe	Get hash	malicious	Browse	173.231.16.76
	#U03c4#U03b1#U03c7#U03b5#U03af#U03b1 #U03b1#U03bd#U03c4#U03b9#U03b3#U03c1#U03b1#U03c6#U03ae.exe	Get hash	malicious	Browse	64.185.227.155
	CV.exe	Get hash	malicious	Browse	173.231.16.76
	e-dekont-20230202.exe	Get hash	malicious	Browse	173.231.16.76
	SOA.exe	Get hash	malicious	Browse	64.185.227.155
	Quote_specifications 09321_PDF.exe	Get hash	malicious	Browse	64.185.227.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.PWSX-gen.23219.24986.exe	Get hash	malicious	Browse	104.237.62.211
	e-dekont-20230127.exe	Get hash	malicious	Browse	104.237.62.211
	PO-1012023.exe	Get hash	malicious	Browse	104.237.62.211
	NEW PO.exe	Get hash	malicious	Browse	104.237.62.211
	DOC.exe	Get hash	malicious	Browse	104.237.62.211
	1835DIR231029551-CRE001.exe	Get hash	malicious	Browse	104.237.62.211
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	104.237.62.211
	shipment airway_PDF.exe	Get hash	malicious	Browse	104.237.62.211
	qlDgmH9U5v.exe	Get hash	malicious	Browse	104.237.62.211
	Fedex AWB.exe	Get hash	malicious	Browse	104.237.62.211
	EVP I_287008 O_298659 C_4091 PO_PDF.exe	Get hash	malicious	Browse	104.237.62.211
	ttN2DmfspL.exe	Get hash	malicious	Browse	104.237.62.211
	Ea4GOhqmLB.exe	Get hash	malicious	Browse	104.237.62.211
	file.exe	Get hash	malicious	Browse	104.237.62.211
	bunzipped.exe	Get hash	malicious	Browse	104.237.62.211
	uTk1rXEYc5.exe	Get hash	malicious	Browse	104.237.62.211
	#U266a Download to Listen VoiceT.MK.exe	Get hash	malicious	Browse	104.237.62.211
	NEW ORDER.exe	Get hash	malicious	Browse	104.237.62.211
	Monopoly_ Here .exe	Get hash	malicious	Browse	104.237.62.211
	B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe	Get hash	malicious	Browse	104.237.62.211

Process:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.651024628450768
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	USD 46947,6 20230101162552.exe
File size:	892416
MD5:	680ab6d7a8d07efd8fc74020138b3d9e
SHA1:	fba2cd2d06e466cd1f89901a47dc1a89c018181a
SHA256:	f5c390ae7deb67f68f921833cc2efef8d6b5c24206fdecfd8b72225f663c375c
SHA512:	5f278585658e43a17976c5494c84f5bec90066fab9146d6e927e94c23a513fdf99af655cf7bd47091973bd868cbd9a08f12f9202d684b19e1cbfb8c9d27211a5
SSDEEP:	24576:w3tyil2JCrRMlhUJrp3Gnj6F0xMpqG4yPab:dJoRay2GWiq
TLSH:	CB158D8737B1A8BFF68B407154283F886FA07503BF46A253973739D49B098FBB698151
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4db5ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63DB1AE3 [Thu Feb 2 02:07:31 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdb57c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x3c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd95d4	0xd9600	False	0.8038002264232318	data	7.655544537096623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x3c8	0x400	False	0.390625	data	3.029577880008474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xdc058	0x36c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2023 12:53:12.827476978 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:12.827544928 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:12.827682018 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:12.856395006 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:12.856456041 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.462122917 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.462239027 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:14.466491938 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:14.466537952 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.467026949 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.519855022 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:14.718645096 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:14.718698978 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.900329113 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.900523901 CET	443	49713	104.237.62.211	192.168.2.6
Feb 3, 2023 12:53:14.900667906 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:14.912149906 CET	49713	443	192.168.2.6	104.237.62.211
Feb 3, 2023 12:53:23.755690098 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:23.787813902 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:23.788027048 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:23.909805059 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:23.910830021 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:23.942827940 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:23.943098068 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:23.976852894 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:23.977308989 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.016170979 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.016228914 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.016274929 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.016307116 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.016314030 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.016371012 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.018280029 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.084888935 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.117589951 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.125039101 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.157208920 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.158528090 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.190963030 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:24.191462994 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:24.262743950 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.051621914 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.057759047 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.089752913 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.089864969 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.090137005 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.162909031 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.219125032 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.224812031 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.257009029 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.257062912 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.261451006 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.261549950 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.261573076 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.261609077 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:53:25.293800116 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.293855906 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.293891907 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.293929100 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.325834990 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:53:25.442714930 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:55:03.655808926 CET	49715	587	192.168.2.6	185.118.171.10
Feb 3, 2023 12:55:03.729619026 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:55:03.940788031 CET	587	49715	185.118.171.10	192.168.2.6
Feb 3, 2023 12:55:03.961875916 CET	49715	587	192.168.2.6	185.118.171.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2023 12:53:12.767362118 CET	49448	53	192.168.2.6	8.8.8.8
Feb 3, 2023 12:53:12.788804054 CET	53	49448	8.8.8.8	192.168.2.6
Feb 3, 2023 12:53:12.794749975 CET	59082	53	192.168.2.6	8.8.8.8
Feb 3, 2023 12:53:12.817112923 CET	53	59082	8.8.8.8	192.168.2.6
Feb 3, 2023 12:53:23.602020025 CET	65198	53	192.168.2.6	8.8.8.8
Feb 3, 2023 12:53:23.718657017 CET	53	65198	8.8.8.8	192.168.2.6
Feb 3, 2023 12:53:23.735177994 CET	62910	53	192.168.2.6	8.8.8.8
Feb 3, 2023 12:53:23.754513025 CET	53	62910	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 3, 2023 12:53:12.767362118 CET	192.168.2.6	8.8.8.8	0x6bd2	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.794749975 CET	192.168.2.6	8.8.8.8	0xb4ba	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:23.602020025 CET	192.168.2.6	8.8.8.8	0x9cef	Standard query (0)	mail.panservis.rs	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:23.735177994 CET	192.168.2.6	8.8.8.8	0xa466	Standard query (0)	mail.panservis.rs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 3, 2023 12:53:12.788804054 CET	8.8.8.8	192.168.2.6	0x6bd2	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Feb 3, 2023 12:53:12.788804054 CET	8.8.8.8	192.168.2.6	0x6bd2	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.788804054 CET	8.8.8.8	192.168.2.6	0x6bd2	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.788804054 CET	8.8.8.8	192.168.2.6	0x6bd2	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.817112923 CET	8.8.8.8	192.168.2.6	0xb4ba	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Feb 3, 2023 12:53:12.817112923 CET	8.8.8.8	192.168.2.6	0xb4ba	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.817112923 CET	8.8.8.8	192.168.2.6	0xb4ba	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:12.817112923 CET	8.8.8.8	192.168.2.6	0xb4ba	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:23.718657017 CET	8.8.8.8	192.168.2.6	0x9cef	No error (0)	mail.panservis.rs	panservis.rs		CNAME (Canonical name)	IN (0x0001)	false
Feb 3, 2023 12:53:23.718657017 CET	8.8.8.8	192.168.2.6	0x9cef	No error (0)	panservis.rs		185.118.171.10	A (IP address)	IN (0x0001)	false
Feb 3, 2023 12:53:23.754513025 CET	8.8.8.8	192.168.2.6	0xa466	No error (0)	mail.panservis.rs	panservis.rs		CNAME (Canonical name)	IN (0x0001)	false
Feb 3, 2023 12:53:23.754513025 CET	8.8.8.8	192.168.2.6	0xa466	No error (0)	panservis.rs		185.118.171.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49713	104.237.62.211	443	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe

Timestamp	Direction	Data
2023-02-03 11:53:14 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-02-03 11:53:14 UTC	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain Date: Fri, 03 Feb 2023 11:53:14 GMT Vary: Origin Connection: close
2023-02-03 11:53:14 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 Data Ascii: 102.129.143.10

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 3, 2023 12:53:23.909805059 CET	587	49715	185.118.171.10	192.168.2.6	220-cp1.astratelekom.com ESMTP Exim 4.95 #2 Fri, 03 Feb 2023 12:53:23 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 3, 2023 12:53:23.910830021 CET	49715	587	192.168.2.6	185.118.171.10	EHLO 065367
Feb 3, 2023 12:53:23.942827940 CET	587	49715	185.118.171.10	192.168.2.6	250-cp1.astratelekom.com Hello 065367 [102.129.143.10] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 3, 2023 12:53:23.943098068 CET	49715	587	192.168.2.6	185.118.171.10	STARTTLS
Feb 3, 2023 12:53:23.976852894 CET	587	49715	185.118.171.10	192.168.2.6	220 TLS go ahead

Target ID:	0
Start time:	12:53:02
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Imagebase:	0x220000
File size:	892416 bytes
MD5 hash:	680AB6D7A8D07EFD8FC74020138B3D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264193263.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	12:53:10
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Imagebase:	0x290000
File size:	892416 bytes
MD5 hash:	680AB6D7A8D07EFD8FC74020138B3D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	12:53:11
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\USD 46947,6 20230101162552.exe
Imagebase:	0xed0000
File size:	892416 bytes
MD5 hash:	680AB6D7A8D07EFD8FC74020138B3D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.511341333.000000000323C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	349
Total number of Limit Nodes:	28

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report USD 46947,6 20230101162552.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USD 46947,6 20230101162552.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
USD 46947,6 20230101162552.exe