Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SALES INVOICE-CINV-00095891.exe

Overview

General Information

Sample Name:SALES INVOICE-CINV-00095891.exe
Analysis ID:532655
MD5:7fb60726a32580224bbe792404c89b03
SHA1:bc1d157f57b8137d266fbb7e10c59d7d5592630d
SHA256:009e42eeca36392c1e89ae2f75ee45d7e3fc71cadc7d2103d44a98657a6bc471
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SALES INVOICE-CINV-00095891.exe (PID: 3112 cmdline: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" MD5: 7FB60726A32580224BBE792404C89B03)
    • RegSvcs.exe (PID: 4420 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 6308 cmdline: "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@elastopolytec.com", "Password": "id184@2014", "Host": "mail.elastopolytec.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" , ParentImage: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe, ParentProcessId: 3112, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4420
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe" , ParentImage: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe, ParentProcessId: 3112, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4420

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.0.RegSvcs.exe.400000.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@elastopolytec.com", "Password": "id184@2014", "Host": "mail.elastopolytec.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SALES INVOICE-CINV-00095891.exeVirustotal: Detection: 49%Perma Link
                      Source: SALES INVOICE-CINV-00095891.exeMetadefender: Detection: 22%Perma Link
                      Source: SALES INVOICE-CINV-00095891.exeReversingLabs: Detection: 82%
                      Source: 4.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000008.00000000.754390057.0000000000382000.00000002.00020000.sdmp, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Joe Sandbox ViewASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE
                      Source: Joe Sandbox ViewIP Address: 78.159.106.214 78.159.106.214
                      Source: global trafficTCP traffic: 192.168.2.4:49827 -> 78.159.106.214:587
                      Source: global trafficTCP traffic: 192.168.2.4:49827 -> 78.159.106.214:587
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://TgMQMD.com
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://elastopolytec.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://mail.elastopolytec.com
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com5
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: RegSvcs.exe, 00000004.00000003.888297672.0000000005E4E000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://f7YBey8N6KRpBOoc1JqK.net
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://f7YBey8N6KRpBOoc1JqK.netT
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.elastopolytec.com
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691207332.00000000014A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: SALES INVOICE-CINV-00095891.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 4.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE0F69EC9u002dE56Bu002d4F92u002dAE48u002dA011E4A95DA1u007d/u00313B7390Eu002d23ADu002d4960u002d9104u002d1D15BA2951E5.csLarge array initialization: .cctor: array initializer size 11954
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148C104
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148E540
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_0148E550
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B61BE
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B4A28
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B7200
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B7528
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B5E20
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B4A18
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B72A1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_07780040
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_07782DE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0102AB28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01022768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01021FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0102E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0104C158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01040064
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01047888
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01042A6D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010456A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0104B160
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01048E48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C3CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C46B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C5490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012C3CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F35690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F31620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F37010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F34E70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F31E10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05F3ABD8
                      Source: SALES INVOICE-CINV-00095891.exeBinary or memory string: OriginalFilename vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691207332.00000000014A0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.690344518.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISymbolMeth.exeN vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUxDdSarWZpLFqEPnALjm.exe4 vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694505753.00000000075F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUxDdSarWZpLFqEPnALjm.exe4 vs SALES INVOICE-CINV-00095891.exe
                      Source: SALES INVOICE-CINV-00095891.exeBinary or memory string: OriginalFilenameISymbolMeth.exeN vs SALES INVOICE-CINV-00095891.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SALES INVOICE-CINV-00095891.exeVirustotal: Detection: 49%
                      Source: SALES INVOICE-CINV-00095891.exeMetadefender: Detection: 22%
                      Source: SALES INVOICE-CINV-00095891.exeReversingLabs: Detection: 82%
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe "C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe"
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe "C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SALES INVOICE-CINV-00095891.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMutant created: \Sessions\1\BaseNamedObjects\rpvuinoqqRDQgL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SALES INVOICE-CINV-00095891.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000008.00000000.754390057.0000000000382000.00000002.00020000.sdmp, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe, 0000000B.00000000.771567330.0000000000532000.00000002.00020000.sdmp, NXLun.exe.4.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SALES INVOICE-CINV-00095891.exe, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SALES INVOICE-CINV-00095891.exe.ce0000.0.unpack, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SALES INVOICE-CINV-00095891.exe.ce0000.0.unpack, u000fu2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_00CE75CE push ss; retf
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_031B688C push 8B014245h; iretd
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeCode function: 1_2_07785E10 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01027E3F push edi; retn 0000h
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77662695423
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SALES INVOICE-CINV-00095891.exe PID: 3112, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmp, SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmp, SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe TID: 4460Thread sleep time: -34685s >= -30000s
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe TID: 1380Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 584Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6860Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1571
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8267
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeThread delayed: delay time: 34685
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: SALES INVOICE-CINV-00095891.exe, 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0102EFC8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B62008
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000004.00000002.935030279.0000000001730000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000004.00000002.935030279.0000000001730000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000004.00000002.935030279.0000000001730000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000004.00000002.935030279.0000000001730000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.432ff20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.42f9d00.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.432ff20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.42f9d00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.687749581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.934134145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.688566599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SALES INVOICE-CINV-00095891.exe PID: 3112, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.432ff20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.42f9d00.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.432ff20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SALES INVOICE-CINV-00095891.exe.42f9d00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.687749581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.934134145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.688566599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SALES INVOICE-CINV-00095891.exe PID: 3112, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection312File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection312Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532655 Sample: SALES INVOICE-CINV-00095891.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 6 other signatures 2->47 6 SALES INVOICE-CINV-00095891.exe 3 2->6         started        10 NXLun.exe 2 2->10         started        12 NXLun.exe 1 2->12         started        process3 file4 23 C:\...\SALES INVOICE-CINV-00095891.exe.log, ASCII 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Injects a PE file into a foreign processes 6->53 14 RegSvcs.exe 2 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 elastopolytec.com 78.159.106.214, 49827, 587 LEASEWEB-DE-FRA-10DE Germany 14->29 31 mail.elastopolytec.com 14->31 25 C:\Users\user\AppData\Roaming\...25XLun.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 5 other signatures 14->39 file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SALES INVOICE-CINV-00095891.exe49%VirustotalBrowse
                      SALES INVOICE-CINV-00095891.exe23%MetadefenderBrowse
                      SALES INVOICE-CINV-00095891.exe82%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      elastopolytec.com0%VirustotalBrowse
                      mail.elastopolytec.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://elastopolytec.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.microsoft.0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://mail.elastopolytec.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://f7YBey8N6KRpBOoc1JqK.net0%Avira URL Cloudsafe
                      http://TgMQMD.com0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.com50%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      https://f7YBey8N6KRpBOoc1JqK.netT0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      elastopolytec.com
                      		78.159.106.214
                      		truetrueunknown
                      mail.elastopolytec.com
                      		unknown
                      		unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSRegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://sectigo.com/CPS0RegSvcs.exe, 00000004.00000003.894113443.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937179575.0000000005E30000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.937267943.0000000005E5B000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000003.894151653.0000000005E74000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                		high
                                http://elastopolytec.comRegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.microsoft.RegSvcs.exe, 00000004.00000003.888297672.0000000005E4E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%$RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.carterandcone.comlSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comoSALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8SALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                        		high
                                        http://mail.elastopolytec.comRegSvcs.exe, 00000004.00000002.935657713.0000000002FAD000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        https://f7YBey8N6KRpBOoc1JqK.netRegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://TgMQMD.comRegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com5SALES INVOICE-CINV-00095891.exe, 00000001.00000002.691813769.0000000001777000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://f7YBey8N6KRpBOoc1JqK.netTRegSvcs.exe, 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comSALES INVOICE-CINV-00095891.exe, 00000001.00000002.694207119.0000000007132000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSALES INVOICE-CINV-00095891.exe, 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          78.159.106.214
                                          		elastopolytec.comGermany
                                          		28753LEASEWEB-DE-FRA-10DEtrue

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:532655
                                          Start date:02.12.2021
                                          Start time:15:40:16
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:SALES INVOICE-CINV-00095891.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:20
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0% (good quality ratio 0%)
                                          • Quality average: 77%
                                          • Quality standard deviation: 5%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:41:20API Interceptor1x Sleep call for process: SALES INVOICE-CINV-00095891.exe modified
                                          15:41:32API Interceptor732x Sleep call for process: RegSvcs.exe modified
                                          15:41:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                          15:41:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          78.159.106.214SALES INVOICE-CINV-00095891.exeGet hashmaliciousBrowse
                                            purchase order.exeGet hashmaliciousBrowse
                                              incorrect payment information.exeGet hashmaliciousBrowse
                                                New Order.exeGet hashmaliciousBrowse
                                                  UW0Lx1YV5l.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    LEASEWEB-DE-FRA-10DEtxAfyNjwr9Get hashmaliciousBrowse
                                                    • 5.61.47.76
                                                    SALES INVOICE-CINV-00095891.exeGet hashmaliciousBrowse
                                                    • 78.159.106.214
                                                    mal1.htmlGet hashmaliciousBrowse
                                                    • 78.159.114.6
                                                    purchase order.exeGet hashmaliciousBrowse
                                                    • 78.159.106.214
                                                    incorrect payment information.exeGet hashmaliciousBrowse
                                                    • 78.159.106.214
                                                    New Order.exeGet hashmaliciousBrowse
                                                    • 78.159.106.214
                                                    Acrobat Pro DC.exeGet hashmaliciousBrowse
                                                    • 45.93.4.106
                                                    F0ihkIMDf2Get hashmaliciousBrowse
                                                    • 46.165.250.228
                                                    6oi3E5jdTR.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    Jm3x80kZjO.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    4BxZpwUFPO.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    ueLBQQ6b5q.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    9d185a3e5184065f1628af9d8325e53b8503a0f7705e5.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    dmW1tM5CTZ.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    sboPQqfpHN.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    oytu1F59dV.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    Km5KAxQLLV.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    mJ1frOovsp.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    f25d7dae55dc8c848e9fed3f218f886f4ca4412e5b94a.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8
                                                    8cc8f28391efb0099a231da1df27d6acc2a9dbfdc11d5.exeGet hashmaliciousBrowse
                                                    • 5.61.41.8

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJSGD-09873673893873.exeGet hashmaliciousBrowse
                                                      DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                        SOA.exeGet hashmaliciousBrowse
                                                          Bank payment swift message.exeGet hashmaliciousBrowse
                                                            PAYMENT PROOF.exeGet hashmaliciousBrowse
                                                              SOA.exeGet hashmaliciousBrowse
                                                                DOCUMENT.exeGet hashmaliciousBrowse
                                                                  swift copy.exeGet hashmaliciousBrowse
                                                                    TT COPY.exeGet hashmaliciousBrowse
                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                        PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                                          INVOICE.exeGet hashmaliciousBrowse
                                                                            IMGLM_09846456748-4098476748464.exeGet hashmaliciousBrowse
                                                                              remitted payment.exeGet hashmaliciousBrowse
                                                                                PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                                                  request quotation.exeGet hashmaliciousBrowse
                                                                                    swift copy.exeGet hashmaliciousBrowse
                                                                                      BCAVT_C0938763-398763693863.exeGet hashmaliciousBrowse
                                                                                        DOC.exeGet hashmaliciousBrowse
                                                                                          DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                                            Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):142
                                                                                            Entropy (8bit):5.090621108356562
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                            MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                            Malicious:false
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SALES INVOICE-CINV-00095891.exe.log
                                                                                            Process:C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1310
                                                                                            Entropy (8bit):5.345651901398759
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                                            MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                                            SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                                            SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                                            SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                                            Malicious:true
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                            C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):45152
                                                                                            Entropy (8bit):6.149629800481177
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                            MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: JSGD-09873673893873.exe, Detection: malicious, Browse
                                                                                            • Filename: DHL SHIPMENT NOTIFICATION 284748395PD.exe, Detection: malicious, Browse
                                                                                            • Filename: SOA.exe, Detection: malicious, Browse
                                                                                            • Filename: Bank payment swift message.exe, Detection: malicious, Browse
                                                                                            • Filename: PAYMENT PROOF.exe, Detection: malicious, Browse
                                                                                            • Filename: SOA.exe, Detection: malicious, Browse
                                                                                            • Filename: DOCUMENT.exe, Detection: malicious, Browse
                                                                                            • Filename: swift copy.exe, Detection: malicious, Browse
                                                                                            • Filename: TT COPY.exe, Detection: malicious, Browse
                                                                                            • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                            • Filename: PAYMENT SLIP OF SY21.exe, Detection: malicious, Browse
                                                                                            • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                            • Filename: IMGLM_09846456748-4098476748464.exe, Detection: malicious, Browse
                                                                                            • Filename: remitted payment.exe, Detection: malicious, Browse
                                                                                            • Filename: PAYMENT SLIP OF SY21.exe, Detection: malicious, Browse
                                                                                            • Filename: request quotation.exe, Detection: malicious, Browse
                                                                                            • Filename: swift copy.exe, Detection: malicious, Browse
                                                                                            • Filename: BCAVT_C0938763-398763693863.exe, Detection: malicious, Browse
                                                                                            • Filename: DOC.exe, Detection: malicious, Browse
                                                                                            • Filename: DHL SHIPMENT NOTIFICATION 284748395PD.exe, Detection: malicious, Browse
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                            C:\Windows\System32\drivers\etc\hosts
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):835
                                                                                            Entropy (8bit):4.694294591169137
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                                            MD5:6EB47C1CF858E25486E42440074917F2
                                                                                            SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                                            SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                                            SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                                            Malicious:true
                                                                                            Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                                                                            \Device\ConDrv
                                                                                            Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1141
                                                                                            Entropy (8bit):4.44831826838854
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                            MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                            SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                            SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                            SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                            Malicious:false
                                                                                            Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.767039139671049
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            File name:SALES INVOICE-CINV-00095891.exe
                                                                                            File size:559104
                                                                                            MD5:7fb60726a32580224bbe792404c89b03
                                                                                            SHA1:bc1d157f57b8137d266fbb7e10c59d7d5592630d
                                                                                            SHA256:009e42eeca36392c1e89ae2f75ee45d7e3fc71cadc7d2103d44a98657a6bc471
                                                                                            SHA512:4b809ee1c5ec3b1724dc37fef637bc6ee6744078e50315df79b962abf33b2e43f56264467ad189921df1f03846b9cff386d38ebc267287f4018a8ab9e07dbb6c
                                                                                            SSDEEP:12288:M9oLcHkRzhiT0Plgp29kGTLpyLVoG/aixBFmy:tgHkR7Plgp29fp8Ii19
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.a.................~............... ........@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:00828e8e8686b000

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x489c06
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                            Time Stamp:0x61A028B7 [Fri Nov 26 00:22:15 2021 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x89bac0x57.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x5b0.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x87c0c0x87e00False0.862914702162data7.77662695423IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x8a0000x5b00x600False0.428385416667data4.35189475516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x8c0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_VERSION0x8a0a00x35cdata
                                                                                            RT_MANIFEST0x8a3fc0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            Translation0x0000 0x04b0
                                                                                            LegalCopyrightCopyright 2017
                                                                                            Assembly Version1.0.0.0
                                                                                            InternalNameISymbolMeth.exe
                                                                                            FileVersion1.0.0.0
                                                                                            CompanyName
                                                                                            LegalTrademarks
                                                                                            Comments
                                                                                            ProductNameGinger Grammer Checker
                                                                                            ProductVersion1.0.0.0
                                                                                            FileDescriptionGinger Grammer Checker
                                                                                            OriginalFilenameISymbolMeth.exe

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 2, 2021 15:42:59.585386038 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:42:59.617155075 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:42:59.617387056 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.058691025 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.060075045 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.092369080 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.093019962 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.129019976 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.164823055 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.211505890 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.211539984 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.211592913 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.211611986 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.211652040 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.211708069 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.217029095 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.261904001 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.294534922 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.340192080 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.384836912 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.416940928 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.417574883 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.450505972 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.451289892 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.495151997 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.496640921 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.528733015 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.529371977 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.569813967 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.570523024 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.602411985 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.604542017 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.604805946 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.605603933 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.606637955 CET49827587192.168.2.478.159.106.214
                                                                                            Dec 2, 2021 15:43:00.636459112 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.636483908 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.637413979 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.638349056 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.640974998 CET5874982778.159.106.214192.168.2.4
                                                                                            Dec 2, 2021 15:43:00.683986902 CET49827587192.168.2.478.159.106.214

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 2, 2021 15:42:59.483324051 CET6311653192.168.2.48.8.8.8
                                                                                            Dec 2, 2021 15:42:59.512209892 CET53631168.8.8.8192.168.2.4
                                                                                            Dec 2, 2021 15:42:59.527587891 CET6407853192.168.2.48.8.8.8
                                                                                            Dec 2, 2021 15:42:59.565972090 CET53640788.8.8.8192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Dec 2, 2021 15:42:59.483324051 CET192.168.2.48.8.8.80xedb2Standard query (0)mail.elastopolytec.comA (IP address)IN (0x0001)
                                                                                            Dec 2, 2021 15:42:59.527587891 CET192.168.2.48.8.8.80xb588Standard query (0)mail.elastopolytec.comA (IP address)IN (0x0001)

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Dec 2, 2021 15:42:59.512209892 CET8.8.8.8192.168.2.40xedb2No error (0)mail.elastopolytec.comelastopolytec.comCNAME (Canonical name)IN (0x0001)
                                                                                            Dec 2, 2021 15:42:59.512209892 CET8.8.8.8192.168.2.40xedb2No error (0)elastopolytec.com78.159.106.214A (IP address)IN (0x0001)
                                                                                            Dec 2, 2021 15:42:59.565972090 CET8.8.8.8192.168.2.40xb588No error (0)mail.elastopolytec.comelastopolytec.comCNAME (Canonical name)IN (0x0001)
                                                                                            Dec 2, 2021 15:42:59.565972090 CET8.8.8.8192.168.2.40xb588No error (0)elastopolytec.com78.159.106.214A (IP address)IN (0x0001)

                                                                                            SMTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Dec 2, 2021 15:43:00.058691025 CET5874982778.159.106.214192.168.2.4220-saturn.worldindia.com ESMTP Exim 4.94.2 #2 Thu, 02 Dec 2021 20:13:00 +0530
                                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                                            220 and/or bulk e-mail.
                                                                                            Dec 2, 2021 15:43:00.060075045 CET49827587192.168.2.478.159.106.214EHLO 141700
                                                                                            Dec 2, 2021 15:43:00.092369080 CET5874982778.159.106.214192.168.2.4250-saturn.worldindia.com Hello 141700 [84.17.52.65]
                                                                                            250-SIZE 52428800
                                                                                            250-8BITMIME
                                                                                            250-PIPELINING
                                                                                            250-PIPE_CONNECT
                                                                                            250-STARTTLS
                                                                                            250 HELP
                                                                                            Dec 2, 2021 15:43:00.093019962 CET49827587192.168.2.478.159.106.214STARTTLS
                                                                                            Dec 2, 2021 15:43:00.129019976 CET5874982778.159.106.214192.168.2.4220 TLS go ahead

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            Analysis Process: SALES INVOICE-CINV-00095891.exe PID: 3112 Parent PID: 6104

                                                                                            General

                                                                                            Start time:15:41:13
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\SALES INVOICE-CINV-00095891.exe"
                                                                                            Imagebase:0xce0000
                                                                                            File size:559104 bytes
                                                                                            MD5 hash:7FB60726A32580224BBE792404C89B03
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.692645247.0000000003284000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.693046792.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.692539703.00000000031D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            Analysis Process: RegSvcs.exe PID: 4420 Parent PID: 3112

                                                                                            General

                                                                                            Start time:15:41:22
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Imagebase:0x950000
                                                                                            File size:45152 bytes
                                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.687359497.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.688156708.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.687749581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.687749581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.934134145.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.934134145.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.688566599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.688566599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.935081423.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:high

                                                                                            Analysis Process: NXLun.exe PID: 6044 Parent PID: 3424

                                                                                            General

                                                                                            Start time:15:41:54
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                                                                                            Imagebase:0x380000
                                                                                            File size:45152 bytes
                                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, Metadefender, Browse
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            Reputation:high

                                                                                            Analysis Process: conhost.exe PID: 5912 Parent PID: 6044

                                                                                            General

                                                                                            Start time:15:41:54
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff724c50000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Analysis Process: NXLun.exe PID: 6308 Parent PID: 3424

                                                                                            General

                                                                                            Start time:15:42:02
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\NXLun\NXLun.exe"
                                                                                            Imagebase:0x530000
                                                                                            File size:45152 bytes
                                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Analysis Process: conhost.exe PID: 6324 Parent PID: 6308

                                                                                            General

                                                                                            Start time:15:42:02
                                                                                            Start date:02/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff724c50000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >