Windows Analysis Report
Overdue invoice.exe

Overview

General Information

Sample Name: Overdue invoice.exe
Analysis ID: 635084
MD5: 21c2f8cc3f1d71ffb036ca3788a346b6
SHA1: b1f681eb0c5b406bad2414829d003568ab44982c
SHA256: 8e68ac628396cbb8619a54ffce8aedae2a20ca23e514813b70c99987175f735d
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 19.0.yqWDN.exe.400000.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ashutosh@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}
Multi AV Scanner detection for submitted file
Source: Overdue invoice.exe Virustotal: Detection: 60% Perma Link
Source: Overdue invoice.exe ReversingLabs: Detection: 60%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe ReversingLabs: Detection: 60%
Machine Learning detection for sample
Source: Overdue invoice.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 19.0.yqWDN.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.yqWDN.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Overdue invoice.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Overdue invoice.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Overdue invoice.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.yqWDN.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 19.2.yqWDN.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.yqWDN.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 7.2.Overdue invoice.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Overdue invoice.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.yqWDN.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Overdue invoice.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: Overdue invoice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Overdue invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49715 -> 206.183.111.188:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49715 -> 206.183.111.188:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49715 -> 206.183.111.188:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49745 -> 206.183.111.188:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 206.183.111.188:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49745 -> 206.183.111.188:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WEBWERKS-AS-INWebWerksIndiaPvtLtdIN WEBWERKS-AS-INWebWerksIndiaPvtLtdIN
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 206.183.111.188 206.183.111.188
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dWZLeu.com
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Overdue invoice.exe, 00000007.00000002.522968890.0000000003760000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.jkudyog.com
Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Overdue invoice.exe, 00000000.00000003.265415364.000000000590A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Overdue invoice.exe, 00000000.00000003.259988892.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/3C
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260841728.0000000005935000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB.TTFlC
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdC
Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdc
Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comepko
Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comlicF
Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comoGC
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttoF
Source: Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Overdue invoice.exe, 00000000.00000003.253007661.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253040437.000000000591B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comn
Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn//:
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/l
Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cne-d
Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254953312.000000000590B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnoO
Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnt-ia
Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnz
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Overdue invoice.exe, 00000000.00000003.252984688.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252856713.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252888263.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253011774.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252782511.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253067018.0000000005924000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252808922.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253115594.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252958098.000000000591E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr$A
Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr=
Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krF1
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253859484.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253816400.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253456642.000000000591B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comc
Source: Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comh
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.depA
Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://I323GyXsTwT8KsWsK7L.net
Source: Overdue invoice.exe, 00000007.00000003.315746874.00000000011D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-21255632
Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://I323GyXsTwT8KsWsK7L.net8
Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.jkudyog.com
Creates a DirectInput object (often for capturing keystrokes)
Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Overdue invoice.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Overdue invoice.exe
.NET source code contains very large array initializations
Source: 7.0.Overdue invoice.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.cs Large array initialization: .cctor: array initializer size 11614
Source: 7.0.Overdue invoice.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.cs Large array initialization: .cctor: array initializer size 11614
Source: 7.0.Overdue invoice.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.cs Large array initialization: .cctor: array initializer size 11614
Source: 7.2.Overdue invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.cs Large array initialization: .cctor: array initializer size 11614
Uses 32bit PE files
Source: Overdue invoice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Detected potential crypto function
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_00524DB1 0_2_00524DB1
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_00522809 0_2_00522809
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_005259ED 0_2_005259ED
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_00C2E2D0 0_2_00C2E2D0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_00C2E2E0 0_2_00C2E2E0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_00C2BA74 0_2_00C2BA74
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_027319C0 0_2_027319C0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731058 0_2_02731058
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731048 0_2_02731048
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731740 0_2_02731740
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731730 0_2_02731730
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_027319B0 0_2_027319B0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731C83 0_2_02731C83
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_02731C88 0_2_02731C88
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_0726D688 0_2_0726D688
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07265530 0_2_07265530
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07266420 0_2_07266420
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07264B68 0_2_07264B68
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_0726C268 0_2_0726C268
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268AB0 0_2_07268AB0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072632F0 0_2_072632F0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072642C8 0_2_072642C8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07263751 0_2_07263751
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07263758 0_2_07263758
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07264FB9 0_2_07264FB9
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07264FC8 0_2_07264FC8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07269625 0_2_07269625
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07269648 0_2_07269648
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268648 0_2_07268648
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268658 0_2_07268658
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07265520 0_2_07265520
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_0726CD88 0_2_0726CD88
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268468 0_2_07268468
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268458 0_2_07268458
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07266329 0_2_07266329
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07266369 0_2_07266369
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07264B58 0_2_07264B58
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072683C8 0_2_072683C8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_0726424D 0_2_0726424D
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07268AA1 0_2_07268AA1
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072672C8 0_2_072672C8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072672D8 0_2_072672D8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_0726E078 0_2_0726E078
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072688E8 0_2_072688E8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_072688D8 0_2_072688D8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 5_2_002F59ED 5_2_002F59ED
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 5_2_002F2809 5_2_002F2809
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 5_2_002F4DB1 5_2_002F4DB1
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_00FE4DB1 7_2_00FE4DB1
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_00FE59ED 7_2_00FE59ED
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_00FE2809 7_2_00FE2809
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_016DF0A0 7_2_016DF0A0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_016DF3E8 7_2_016DF3E8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_016D6140 7_2_016D6140
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EBB18 7_2_064EBB18
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EC878 7_2_064EC878
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EF830 7_2_064EF830
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064E1FF8 7_2_064E1FF8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064E0040 7_2_064E0040
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064E0006 7_2_064E0006
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C6ACA8 7_2_06C6ACA8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C66BF0 7_2_06C66BF0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C68608 7_2_06C68608
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C644F8 7_2_06C644F8
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C61D28 7_2_06C61D28
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C63330 7_2_06C63330
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C641D1 7_2_06C641D1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_008D59ED 15_2_008D59ED
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_008D2809 15_2_008D2809
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_008D4DB1 15_2_008D4DB1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_02C6E2DB 15_2_02C6E2DB
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_02C6E2E0 15_2_02C6E2E0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_02C6BA74 15_2_02C6BA74
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF1938 15_2_04CF1938
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF1C00 15_2_04CF1C00
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF15F0 15_2_04CF15F0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF16A9 15_2_04CF16A9
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF16B8 15_2_04CF16B8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF0FC3 15_2_04CF0FC3
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF0FD0 15_2_04CF0FD0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF192B 15_2_04CF192B
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_04CF1BF3 15_2_04CF1BF3
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07364B68 15_2_07364B68
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_0736C268 15_2_0736C268
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368AB0 15_2_07368AB0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_0736D688 15_2_0736D688
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073632F0 15_2_073632F0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073642C8 15_2_073642C8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07365530 15_2_07365530
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07366420 15_2_07366420
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07366329 15_2_07366329
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07364F61 15_2_07364F61
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07366369 15_2_07366369
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07363753 15_2_07363753
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07363758 15_2_07363758
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07364B58 15_2_07364B58
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07364FB9 15_2_07364FB9
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07364FC8 15_2_07364FC8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07369625 15_2_07369625
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368658 15_2_07368658
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_0736424D 15_2_0736424D
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07369648 15_2_07369648
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368648 15_2_07368648
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368AA1 15_2_07368AA1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073672D8 15_2_073672D8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073672C9 15_2_073672C9
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07365520 15_2_07365520
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_0736CD88 15_2_0736CD88
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_0736E078 15_2_0736E078
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368468 15_2_07368468
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_07368458 15_2_07368458
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073688E8 15_2_073688E8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 15_2_073688D8 15_2_073688D8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_00832809 16_2_00832809
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_008359ED 16_2_008359ED
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_00834DB1 16_2_00834DB1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_012CE2E0 16_2_012CE2E0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_012CE2D0 16_2_012CE2D0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_012CBA74 16_2_012CBA74
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07194B68 16_2_07194B68
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_0719C268 16_2_0719C268
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_0719D688 16_2_0719D688
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198AB0 16_2_07198AB0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071942C8 16_2_071942C8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071932F0 16_2_071932F0
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07195530 16_2_07195530
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07196420 16_2_07196420
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07196329 16_2_07196329
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07193758 16_2_07193758
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07194B58 16_2_07194B58
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07193753 16_2_07193753
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07196369 16_2_07196369
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07194F61 16_2_07194F61
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07194FB9 16_2_07194FB9
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07194FC8 16_2_07194FC8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07199625 16_2_07199625
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198658 16_2_07198658
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07199648 16_2_07199648
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198648 16_2_07198648
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_0719424D 16_2_0719424D
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198AA1 16_2_07198AA1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071972D8 16_2_071972D8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071972C9 16_2_071972C9
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07195520 16_2_07195520
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_0719CD88 16_2_0719CD88
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198458 16_2_07198458
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_0719E078 16_2_0719E078
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_07198468 16_2_07198468
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071988D8 16_2_071988D8
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Code function: 16_2_071988E8 16_2_071988E8
Sample file is different than original file name gathered from version info
Source: Overdue invoice.exe, 00000000.00000000.250199094.00000000005C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.299437457.0000000002C16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.304201924.0000000007160000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000005.00000002.290997467.0000000000396000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000007.00000000.295675285.0000000001086000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000007.00000002.521143332.00000000016E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000007.00000003.316115485.0000000006A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
Source: Overdue invoice.exe, 00000007.00000002.520543885.00000000014F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue invoice.exe
Source: Overdue invoice.exe Binary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
PE file contains strange resources
Source: Overdue invoice.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dYXeRswtYBrq.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yqWDN.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Overdue invoice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dYXeRswtYBrq.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yqWDN.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Overdue invoice.exe Virustotal: Detection: 60%
Source: Overdue invoice.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\Overdue invoice.exe File read: C:\Users\user\Desktop\Overdue invoice.exe Jump to behavior
Source: Overdue invoice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Overdue invoice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Overdue invoice.exe "C:\Users\user\Desktop\Overdue invoice.exe"
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path}
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Overdue invoice.exe File created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe File created: C:\Users\user\AppData\Local\Temp\tmpA306.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@15/8@3/2
Source: C:\Users\user\Desktop\Overdue invoice.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Overdue invoice.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Overdue invoice.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01
Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Overdue invoice.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Overdue invoice.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Overdue invoice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Overdue invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_027366AD push FFFFFF8Bh; iretd 0_2_027366AF
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 0_2_07263D82 push esi; retf 0_2_07263D98
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_016D5170 push es; ret 7_2_016D5188
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_016D5150 push es; ret 7_2_016D5168
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE5D push es; retf 7_2_064EAE84
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE1E push es; retf 7_2_064EAE20
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE1A push es; retf 7_2_064EAE1C
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE16 push es; retf 7_2_064EAE18
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE2E push es; retf 7_2_064EAE30
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE2A push es; retf 7_2_064EAE2C
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE26 push es; retf 7_2_064EAE28
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE22 push es; retf 7_2_064EAE24
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE3A push es; retf 7_2_064EAE3C
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE36 push es; retf 7_2_064EAE38
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAE32 push es; retf 7_2_064EAE34
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAC41 push es; retf 7_2_064EACBC
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EACBE push es; retf 7_2_064EAD54
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAD56 push es; retf 7_2_064EAE14
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EBA60 push es; ret 7_2_064EBA70
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064EAA09 push es; retf 7_2_064EAC24
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_064E3139 push es; iretd 7_2_064E313C
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C697CB push ss; ret 7_2_06C697D2
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C617E9 push es; ret 7_2_06C618C4
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C69783 push ss; ret 7_2_06C697CA
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C61789 push es; ret 7_2_06C618C4
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C6177F push es; ret 7_2_06C618C4
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C6977B push ss; ret 7_2_06C69782
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C69778 push ss; ret 7_2_06C6977A
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C63330 push es; iretd 7_2_06C641D0
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C618CB push es; ret 7_2_06C61910
Source: C:\Users\user\Desktop\Overdue invoice.exe Code function: 7_2_06C618AF push es; ret 7_2_06C61910
Source: initial sample Static PE information: section name: .text entropy: 7.65168574947
Source: initial sample Static PE information: section name: .text entropy: 7.65168574947
Source: initial sample Static PE information: section name: .text entropy: 7.65168574947
Drops PE files
Source: C:\Users\user\Desktop\Overdue invoice.exe File created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Jump to dropped file
Source: C:\Users\user\Desktop\Overdue invoice.exe File created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
Source: C:\Users\user\Desktop\Overdue invoice.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDN Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDN Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Overdue invoice.exe File opened: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 4264 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276 Thread sleep count: 4378 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276 Thread sleep count: 4299 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7128 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020 Thread sleep count: 3465 > 30
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020 Thread sleep count: 5329 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Overdue invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Overdue invoice.exe Window / User API: threadDelayed 4378 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Window / User API: threadDelayed 4299 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Window / User API: threadDelayed 3465
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Window / User API: threadDelayed 5329
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Overdue invoice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Overdue invoice.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Thread delayed: delay time: 922337203685477
Source: yqWDN.exe, 0000000F.00000002.371657286.0000000000E62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Overdue invoice.exe, 00000007.00000002.521324973.0000000001715000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\Overdue invoice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Overdue invoice.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Overdue invoice.exe Memory written: C:\Users\user\Desktop\Overdue invoice.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Memory written: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Process created: C:\Users\user\Desktop\Overdue invoice.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Overdue invoice.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Overdue invoice.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Overdue invoice.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Overdue invoice.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635084 Sample: Overdue invoice.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 12 other signatures 2->55 7 Overdue invoice.exe 6 2->7         started        11 yqWDN.exe 5 2->11         started        14 yqWDN.exe 2 2->14         started        process3 dnsIp4 39 C:\Users\user\AppData\...\dYXeRswtYBrq.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpA306.tmp, XML 7->41 dropped 43 C:\Users\user\...\Overdue invoice.exe.log, ASCII 7->43 dropped 69 Injects a PE file into a foreign processes 7->69 16 Overdue invoice.exe 2 5 7->16         started        21 schtasks.exe 1 7->21         started        23 Overdue invoice.exe 7->23         started        47 192.168.2.1 unknown unknown 11->47 71 Multi AV Scanner detection for dropped file 11->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->73 75 Machine Learning detection for dropped file 11->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->77 25 yqWDN.exe 2 11->25         started        27 schtasks.exe 1 11->27         started        file5 signatures6 process7 dnsIp8 45 mail.jkudyog.com 206.183.111.188, 49715, 49745, 587 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN United States 16->45 33 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 16->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 16->35 dropped 37 C:\Users\user\...\yqWDN.exe:Zone.Identifier, ASCII 16->37 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->57 59 Tries to steal Mail credentials (via file / registry access) 16->59 61 Modifies the hosts file 16->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->63 29 conhost.exe 21->29         started        65 Tries to harvest and steal ftp login credentials 25->65 67 Tries to harvest and steal browser information (history, passwords, etc) 25->67 31 conhost.exe 27->31         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
206.183.111.188
 mail.jkudyog.com United States
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
mail.jkudyog.com 206.183.111.188 true