Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Statement of Account.exe

Overview

General Information

Sample Name:Statement of Account.exe
Analysis ID:679169
MD5:75c66bdbd22e4745cf2554712c31bb9e
SHA1:165a1b9ce59f2d07bb8ae4ee81200345709007b0
SHA256:6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Statement of Account.exe (PID: 5288 cmdline: "C:\Users\user\Desktop\Statement of Account.exe" MD5: 75C66BDBD22E4745CF2554712C31BB9E)
    • powershell.exe (PID: 4572 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1568 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Statement of Account.exe (PID: 5236 cmdline: C:\Users\user\Desktop\Statement of Account.exe MD5: 75C66BDBD22E4745CF2554712C31BB9E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "admin@nikhillogistics.in", "Password": "rgccn@110599", "Host": "mail.nikhillogistics.in"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30129:$a13: get_DnsResolver
      • 0x2e939:$a20: get_LastAccessed
      • 0x30a86:$a27: set_InternalServerPort
      • 0x30da5:$a30: set_GuidMasterKey
      • 0x2ea40:$a33: get_Clipboard
      • 0x2ea4e:$a34: get_Keyboard
      • 0x2fd32:$a35: get_ShiftKeyDown
      • 0x2fd43:$a36: get_AltKeyDown
      • 0x2ea5b:$a37: get_Password
      • 0x2f4e2:$a38: get_PasswordHash
      • 0x30508:$a39: get_DefaultCredentials
      00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Statement of Account.exe.441b480.10.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.Statement of Account.exe.441b480.10.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.Statement of Account.exe.441b480.10.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32ba8:$s10: logins
              • 0x66fc8:$s10: logins
              • 0x32615:$s11: credential
              • 0x66a35:$s11: credential
              • 0x2ec40:$g1: get_Clipboard
              • 0x63060:$g1: get_Clipboard
              • 0x2ec4e:$g2: get_Keyboard
              • 0x6306e:$g2: get_Keyboard
              • 0x2ec5b:$g3: get_Password
              • 0x6307b:$g3: get_Password
              • 0x2ff22:$g4: get_CtrlKeyDown
              • 0x64342:$g4: get_CtrlKeyDown
              • 0x2ff32:$g5: get_ShiftKeyDown
              • 0x64352:$g5: get_ShiftKeyDown
              • 0x2ff43:$g6: get_AltKeyDown
              • 0x64363:$g6: get_AltKeyDown
              0.2.Statement of Account.exe.441b480.10.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x30329:$a13: get_DnsResolver
              • 0x64749:$a13: get_DnsResolver
              • 0x2eb39:$a20: get_LastAccessed
              • 0x62f59:$a20: get_LastAccessed
              • 0x30c86:$a27: set_InternalServerPort
              • 0x650a6:$a27: set_InternalServerPort
              • 0x30fa5:$a30: set_GuidMasterKey
              • 0x653c5:$a30: set_GuidMasterKey
              • 0x2ec40:$a33: get_Clipboard
              • 0x63060:$a33: get_Clipboard
              • 0x2ec4e:$a34: get_Keyboard
              • 0x6306e:$a34: get_Keyboard
              • 0x2ff32:$a35: get_ShiftKeyDown
              • 0x64352:$a35: get_ShiftKeyDown
              • 0x2ff43:$a36: get_AltKeyDown
              • 0x64363:$a36: get_AltKeyDown
              • 0x2ec5b:$a37: get_Password
              • 0x6307b:$a37: get_Password
              • 0x2f6e2:$a38: get_PasswordHash
              • 0x63b02:$a38: get_PasswordHash
              • 0x30708:$a39: get_DefaultCredentials
              0.2.Statement of Account.exe.43e6e60.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Statement of Account.exeVirustotal: Detection: 28%Perma Link
                Source: Statement of Account.exeReversingLabs: Detection: 20%
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ObhZOLODRqR.exeReversingLabs: Detection: 20%
                Machine Learning detection for sample
                Source: Statement of Account.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ObhZOLODRqR.exeJoe Sandbox ML: detected
                Source: 8.0.Statement of Account.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.Statement of Account.exe.43e6e60.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "admin@nikhillogistics.in", "Password": "rgccn@110599", "Host": "mail.nikhillogistics.in"}
                Source: Statement of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Statement of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 162.144.73.161 162.144.73.161
                Source: global trafficTCP traffic: 192.168.2.4:49769 -> 162.144.73.161:587
                Source: global trafficTCP traffic: 192.168.2.4:49769 -> 162.144.73.161:587
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Statement of Account.exe, 00000008.00000002.501298281.00000000015F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: Statement of Account.exe, 00000008.00000002.510776045.0000000006A87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: Statement of Account.exe, 00000008.00000002.501298281.00000000015F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab:
                Source: Statement of Account.exe, 00000008.00000002.511016536.0000000006AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d3ddfa60c0dd
                Source: Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ensg$
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.nikhillogistics.in
                Source: Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nikhillogistics.in
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000003.312641363.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506912024.0000000003463000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pnESxHojn5G.org
                Source: Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0N
                Source: Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uRXIlH.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500159248.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Statement of Account.exe, 00000008.00000002.510776045.0000000006A87000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.501387367.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
                Source: Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500159248.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Statement of Account.exe, 00000008.00000002.510776045.0000000006A87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/9
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                Source: Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.nikhillogistics.in
                Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Modifies the hosts file
                Source: C:\Users\user\Desktop\Statement of Account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: Statement of Account.exe PID: 5288, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: Statement of Account.exe PID: 5236, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 8.0.Statement of Account.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3D0D1504u002d2251u002d45F4u002dBFD3u002d42E5F71129A7u007d/AA66BB39u002dBD9Du002d4F62u002dB0C3u002d53363A893F18.csLarge array initialization: .cctor: array initializer size 11686
                Source: Statement of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: Statement of Account.exe PID: 5288, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: Statement of Account.exe PID: 5236, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0AFB7610
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0AFB8C68
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0AFB0040
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0AFB0037
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_0151F398
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_01516582
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_0151F6E0
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BBB09
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BB8C0
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B89A8
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B9C48
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B3330
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_06A32EF8
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_06A31BE0
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_06A31068
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHfcaVdMNywOnamQUDofeuStMhH.exe4 vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000002.278441612.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000003.260450267.0000000006FD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000000.227285898.0000000000496000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDebuggerDisplayAttrib.exe: vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000002.308926624.0000000007130000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000002.286838675.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHfcaVdMNywOnamQUDofeuStMhH.exe4 vs Statement of Account.exe
                Source: Statement of Account.exe, 00000000.00000002.309359722.000000000AD20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Statement of Account.exe
                Source: Statement of Account.exe, 00000008.00000002.498560350.000000000152A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Statement of Account.exe
                Source: Statement of Account.exe, 00000008.00000000.273676023.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHfcaVdMNywOnamQUDofeuStMhH.exe4 vs Statement of Account.exe
                Source: Statement of Account.exeBinary or memory string: OriginalFilenameDebuggerDisplayAttrib.exe: vs Statement of Account.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ObhZOLODRqR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Statement of Account.exeVirustotal: Detection: 28%
                Source: Statement of Account.exeReversingLabs: Detection: 20%
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\Statement of Account.exeJump to behavior
                Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\Statement of Account.exe "C:\Users\user\Desktop\Statement of Account.exe"
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Users\user\Desktop\Statement of Account.exe C:\Users\user\Desktop\Statement of Account.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Users\user\Desktop\Statement of Account.exe C:\Users\user\Desktop\Statement of Account.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\ObhZOLODRqR.exeJump to behavior
                Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Local\Temp\tmp656A.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/13@3/1
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: Statement of Account.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
                Source: C:\Users\user\Desktop\Statement of Account.exeMutant created: \Sessions\1\BaseNamedObjects\NUyraftjPtegGrrVzDt
                Source: Statement of Account.exe, Lib_Mang_Sys/Member_Panel.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: ObhZOLODRqR.exe.0.dr, Lib_Mang_Sys/Member_Panel.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 0.0.Statement of Account.exe.3d0000.0.unpack, Lib_Mang_Sys/Member_Panel.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 8.0.Statement of Account.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 8.0.Statement of Account.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Statement of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Statement of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Statement of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Statement of Account.exe, Lib_Mang_Sys/Member_Panel.cs.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: ObhZOLODRqR.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.Statement of Account.exe.3d0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B178E push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B1782 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B179A push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF799 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF799 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B1792 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17AA push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17A1 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17B9 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17B2 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17CA push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17C2 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17DA push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17D1 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17EA push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B17E2 push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF7E5 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF7E5 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B177A push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B2520 push edi; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BFA91 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BFA91 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BFA45 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BFA45 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B3330 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B3330 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B40B1 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF8C9 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BF8C9 push es; iretd
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068B18DD push es; ret
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_068BA0F1 pushad ; ret
                Source: Statement of Account.exeStatic PE information: 0xE7487E1C [Tue Dec 16 17:42:52 2092 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.539163874694484
                Source: initial sampleStatic PE information: section name: .text entropy: 7.539163874694484
                Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\ObhZOLODRqR.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp
                Source: C:\Users\user\Desktop\Statement of Account.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\Statement of Account.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\Statement of Account.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5288, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5296Thread sleep time: -45877s >= -30000s
                Source: C:\Users\user\Desktop\Statement of Account.exe TID: 4288Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Users\user\Desktop\Statement of Account.exe TID: 4192Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\Desktop\Statement of Account.exe TID: 5480Thread sleep count: 9749 > 30
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9326
                Source: C:\Users\user\Desktop\Statement of Account.exeWindow / User API: threadDelayed 9749
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Statement of Account.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 45877
                Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477
                Source: Statement of Account.exe, 00000000.00000002.309359722.000000000AD20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: kOBYhi9OVmCi84udFEa
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Statement of Account.exe, 00000008.00000003.366576113.0000000006B39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: Statement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 8_2_06A35A80 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Modifies the hosts file
                Source: C:\Users\user\Desktop\Statement of Account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp
                Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Users\user\Desktop\Statement of Account.exe C:\Users\user\Desktop\Statement of Account.exe
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Users\user\Desktop\Statement of Account.exe VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Users\user\Desktop\Statement of Account.exe VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies the hosts file
                Source: C:\Users\user\Desktop\Statement of Account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5236, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5236, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.Statement of Account.exe.441b480.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43e6e60.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.Statement of Account.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.441b480.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43e6e60.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Statement of Account.exe.43aec40.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 5236, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                File and Directory Permissions Modification                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		11
                Process Injection                		11
                Disable or Modify Tools                		1
                Credentials in Registry                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                Scheduled Task/Job                		1
                Deobfuscate/Decode Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Obfuscated Files or Information                		NTDS311
                Security Software Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
                Software Packing                		LSA Secrets1
                Process Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Timestomp                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Masquerading                		Proc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)131
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
                Process Injection                		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 679169 Sample: Statement of Account.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 11 other signatures 2->46 7 Statement of Account.exe 7 2->7         started        process3 file4 24 C:\Users\user\AppData\...\ObhZOLODRqR.exe, PE32 7->24 dropped 26 C:\Users\...\ObhZOLODRqR.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmp656A.tmp, XML 7->28 dropped 30 C:\Users\...\Statement of Account.exe.log, ASCII 7->30 dropped 48 Adds a directory exclusion to Windows Defender 7->48 11 Statement of Account.exe 4 7->11         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        signatures5 process6 dnsIp7 34 x1.i.lencr.org 11->34 36 mail.nikhillogistics.in 11->36 38 2 other IPs or domains 11->38 32 C:\Windows\System32\drivers\etc\hosts, ASCII 11->32 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file / registry access) 11->52 54 Tries to harvest and steal ftp login credentials 11->54 56 2 other signatures 11->56 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started        file8 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Statement of Account.exe28%VirustotalBrowse
                Statement of Account.exe21%ReversingLabsWin32.Trojan.LokiBot
                Statement of Account.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe21%ReversingLabsWin32.Trojan.LokiBot

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                8.0.Statement of Account.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                nikhillogistics.in0%VirustotalBrowse
                windowsupdatebg.s.llnwi.net0%VirustotalBrowse
                mail.nikhillogistics.in0%VirustotalBrowse
                x1.i.lencr.org1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://x1.i.lencr.org/0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://r3.i.lencr.org/0N0%Avira URL Cloudsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://pnESxHojn5G.org0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://uRXIlH.com0%Avira URL Cloudsafe
                https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://nikhillogistics.in0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://x1.i.lencr.org/90%Avira URL Cloudsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://mail.nikhillogistics.in0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                nikhillogistics.in
                		162.144.73.161
                		truefalseunknown
                windowsupdatebg.s.llnwi.net
                		41.63.96.128
                		truefalseunknown
                mail.nikhillogistics.in
                		unknown
                		unknowntrueunknown
                x1.i.lencr.org
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://x1.i.lencr.org/Statement of Account.exe, 00000008.00000002.510776045.0000000006A87000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.501387367.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://r3.i.lencr.org/0NStatement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cps.letsencrypt.org0Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwStatement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pnESxHojn5G.orgStatement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000003.312641363.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506912024.0000000003463000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://uRXIlH.comStatement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org%%startupfolder%Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://www.goodfont.co.krStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://nikhillogistics.inStatement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://x1.i.lencr.org/9Statement of Account.exe, 00000008.00000002.510776045.0000000006A87000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://x1.c.lencr.org/0Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500159248.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500159248.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiStatement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.o.lencr.org0Statement of Account.exe, 00000008.00000002.510701369.0000000006A78000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500274188.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.500714577.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.507022754.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Statement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://mail.nikhillogistics.inStatement of Account.exe, 00000008.00000002.506976142.000000000346D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStatement of Account.exe, 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comStatement of Account.exe, 00000000.00000002.305139013.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%Statement of Account.exe, 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      162.144.73.161
                                      		nikhillogistics.inUnited States
                                      		46606UNIFIEDLAYER-AS-1USfalse

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:679169
                                      Start date and time: 05/08/202211:18:102022-08-05 11:18:10 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 4s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:Statement of Account.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:31
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@9/13@3/1
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 96%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 8.238.189.126, 8.248.141.254, 8.238.85.126, 8.248.137.254, 8.248.139.254, 23.50.97.168, 178.79.225.0, 93.184.221.240
                                      • Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, e8652.dscx.akamaiedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, store-images.s-microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, crl.root-x1.letsencrypt.org.edgekey.net
                                      • Execution Graph export aborted for target Statement of Account.exe, PID 5288 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      11:19:19API Interceptor602x Sleep call for process: Statement of Account.exe modified
                                      11:19:29API Interceptor37x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1391
                                      Entropy (8bit):7.705940075877404
                                      Encrypted:false
                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:Microsoft Cabinet archive data, 61712 bytes, 1 file
                                      Category:dropped
                                      Size (bytes):61712
                                      Entropy (8bit):7.995044632446497
                                      Encrypted:true
                                      SSDEEP:1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
                                      MD5:589C442FC7A0C70DCA927115A700D41E
                                      SHA1:66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
                                      SHA-256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
                                      SHA-512:1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):192
                                      Entropy (8bit):2.8064124905820815
                                      Encrypted:false
                                      SSDEEP:3:kkFkllbEvfllXlE/zMcYlXNNX8RolJuRdyo1dlUKlGXJlDdt:kKMEk1Y7NMa8Rdy+UKcXP
                                      MD5:B10BEEA845B41DBF6A66052DBBD48599
                                      SHA1:7AE0150316C7C178338833582FD29377B814946F
                                      SHA-256:B011A65DF58AF77E48E23DA30603864AD1619AED7C93AC5E3F0790CADDABA9DF
                                      SHA-512:BB09502DCAA81ABE695C79BC34E40CCB3848101081E33EF9943DBEEAA61C72D65515E2DAF1689BC45D70323AEA3F3ECFD45543DA7CF34937C767450A538E87F1
                                      Malicious:false
                                      Reputation:low
                                      Preview:p...... .........Y......(....................................................... ..........~...*@..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):290
                                      Entropy (8bit):2.9542848029467006
                                      Encrypted:false
                                      SSDEEP:6:kKcDv+N+SkQlPlEGYRMY9z+4KlDA3RUe/:EDvNkPlE99SNxAhUe/
                                      MD5:E7DCBF70A581126CBA8A8657730B5418
                                      SHA1:A739325C51FA204A640060366A414063583FBE49
                                      SHA-256:0378C5E3799756BA8AEE637B668CA72B1F5A0E3BFADAB06DF3ADBC77BD0056B9
                                      SHA-512:6ADC18C489CA5447234316FD6A7E2483CB130CF4BD60386FF98A0D473D7604E9F4D33E3EF60311633E6EFD862E1590AF342494899508E6E178559EDE753F3F86
                                      Malicious:false
                                      Preview:p...... ........[......(....................................................... .........L.........................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Statement of Account.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1750
                                      Entropy (8bit):5.3375092442007315
                                      Encrypted:false
                                      SSDEEP:48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
                                      MD5:92FEE17DD9A6925BA2D1E5EF2CD6E5F2
                                      SHA1:4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
                                      SHA-256:67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
                                      SHA-512:C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):22272
                                      Entropy (8bit):5.602723185903279
                                      Encrypted:false
                                      SSDEEP:384:PtCD202QfaplMf9EBweSBKnAjsh77Y9g9SJ3xa1BMrm7Z1AV7SDaTg64I+iyYZ:QfUWf9gwe4KAohf9cBa4aE
                                      MD5:2AB8ED144E52F3C3720B4F757D9F4B97
                                      SHA1:48D1011A92A5B71D0EBFFF056CF87C8989801A84
                                      SHA-256:E1DAEF7CDF923BEB56CC4B30BC77B88EC83569425E48FA5038B2C92E50A07646
                                      SHA-512:E7F584F842F9C825A8A230C3E1C3CDD37B8A01AF774E1E51D0B37787F470F4B7280BBAB3D6769BEEE308F25AFB95B8DA7A7251490368A2CC08FF0005EE413F74
                                      Malicious:false
                                      Preview:@...e...........y...................?.7..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxyie0dp.bip.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaagaant.ptz.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\tmp656A.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1598
                                      Entropy (8bit):5.145923636218015
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaPxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTKv
                                      MD5:91116E069DA37D68CC10FC51056251DC
                                      SHA1:2A33AE988126604C40868205EBA5EE0371F3B8B3
                                      SHA-256:48037C677909446C4F35FB484C89CFADF2536A96E11331F9AF3477DEED1AF787
                                      SHA-512:1CF1C8BBED95A4071CFE9CF811A391921B8ED891802ADA83328D22189C9CB8EC60B949B698D46FF861C17C1C341A5E14BBF72EC224D97CE56F4009F0B18F8BE3
                                      Malicious:true
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                      C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):801280
                                      Entropy (8bit):7.53522419179703
                                      Encrypted:false
                                      SSDEEP:12288:Ni78QCM0vT5XX2sIhKbZK6ZshN2gUDe8jTFa9Md8ClaO2tRaYnrdv7ByMg6SKlpx:jTtT5bIh6sOiMjlmLaYnrZ7BvLlpx
                                      MD5:75C66BDBD22E4745CF2554712C31BB9E
                                      SHA1:165A1B9CE59F2D07BB8AE4EE81200345709007B0
                                      SHA-256:6B0B7F653E4AA7AD98B6417CF50934CC6825CCFFDCB750BAA321536CD8816E29
                                      SHA-512:55390C35FE2998A96F9594367DC214B9675B4DACF3C2C535812418441C76B7B516F108318577F86FA3F9945285D8468CFF8A3CD7A9EC0EED763A5695A6573D77
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 21%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~H...............0..0...........M... ...`....@.. ....................................@..................................M..O....`...............................M............................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................M......H.......@...<P......$...|....{.............................................}.....(.......(......{.....o.....*....0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o......*.........Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(......*...0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o......*..........KZ..

                                      C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\Documents\20220805\PowerShell_transcript.581804.8ACGxEBv.20220805111927.txt

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5793
                                      Entropy (8bit):5.41590295733232
                                      Encrypted:false
                                      SSDEEP:96:BZFjiNiqDo1ZrZOjiNiqDo1ZiPVnjZKjiNiqDo1Z/qXX/Zo:M
                                      MD5:46CCFD3A13B6129D81ADAA145D0F147A
                                      SHA1:DFF19D438EAF02EBAF8C386B01DFCA69A0446439
                                      SHA-256:E6E05CB3E587A1F47807684DB8320BC06A08134A08D2368A27D50BC1A50B139A
                                      SHA-512:FA1A45F908EE61D2B33D53AADA3821CC6B3A9D5644BBC2B2677B05E549C30398342E08AD662C03A0F0B8C7038BEF11D3CAD794B018E26BE7EA5C47FE042DC4FB
                                      Malicious:false
                                      Preview:.**********************..Windows PowerShell transcript start..Start time: 20220805111928..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe..Process ID: 4572..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220805111928..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe..**********************..Windows PowerShell transcript start..Start time: 20220805112359..Username: computer\user..RunAs User: computer\jo

                                      C:\Windows\System32\drivers\etc\hosts

                                      Download File
                                      Process:C:\Users\user\Desktop\Statement of Account.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):835
                                      Entropy (8bit):4.694294591169137
                                      Encrypted:false
                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                      MD5:6EB47C1CF858E25486E42440074917F2
                                      SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                      SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                      SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                      Malicious:true
                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.53522419179703
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:Statement of Account.exe
                                      File size:801280
                                      MD5:75c66bdbd22e4745cf2554712c31bb9e
                                      SHA1:165a1b9ce59f2d07bb8ae4ee81200345709007b0
                                      SHA256:6b0b7f653e4aa7ad98b6417cf50934cc6825ccffdcb750baa321536cd8816e29
                                      SHA512:55390c35fe2998a96f9594367dc214b9675b4dacf3c2c535812418441c76b7b516f108318577f86fa3f9945285d8468cff8a3cd7a9ec0eed763a5695a6573d77
                                      SSDEEP:12288:Ni78QCM0vT5XX2sIhKbZK6ZshN2gUDe8jTFa9Md8ClaO2tRaYnrdv7ByMg6SKlpx:jTtT5bIh6sOiMjlmLaYnrZ7BvLlpx
                                      TLSH:2F05129936EB9B13CAB84FF2B16522601B34A03F64AAE30E5C857CFB51B1B434751B53
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~H...............0..0...........M... ...`....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4c4df2
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xE7487E1C [Tue Dec 16 17:42:52 2092 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      dec eax
                                      xor al, 46h
                                      pop edx
                                      push esp
                                      inc edi
                                      inc ebx
                                      pop eax
                                      cmp byte ptr [edi], dh
                                      pop eax
                                      xor al, 38h
                                      inc edx
                                      inc esi
                                      aaa
                                      xor al, 47h
                                      inc edx
                                      xor eax, 00003838h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc4da00x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x5ec.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xc4d840x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xc2e100xc3000False0.8278307792467948data7.539163874694484IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xc60000x5ec0x600False0.4322916666666667data4.1877920292961885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xc80000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xc60900x35cdata
                                      RT_MANIFEST0xc63fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 5, 2022 11:19:57.500582933 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:19:57.707695007 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:19:57.707798958 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:19:58.951540947 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:19:58.954544067 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:19:59.697355986 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:19:59.704181910 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:00.260518074 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:00.467394114 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:00.480840921 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:01.057456970 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:01.271528006 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:01.448143959 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:02.222178936 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:02.760721922 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:02.992319107 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:02.992352009 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:02.992371082 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:02.992408991 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:03.057607889 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:03.086246967 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:03.760797024 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:04.448399067 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:05.667310953 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:05.695204020 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:05.695275068 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:08.105050087 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:10.542751074 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:12.980395079 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:13.188159943 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:13.245990992 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:16.446172953 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:16.663683891 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:16.665047884 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:17.168220043 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:17.730820894 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:18.777770042 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:19.309561968 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:19.309771061 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:20.949862003 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:21.157442093 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:21.158468962 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:26.449436903 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:26.449747086 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:29.466254950 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:37.035556078 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:37.035665989 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:46.076936007 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:20:58.201313972 CEST58749769162.144.73.161192.168.2.4
                                      Aug 5, 2022 11:20:58.201620102 CEST49769587192.168.2.4162.144.73.161
                                      Aug 5, 2022 11:21:19.282970905 CEST49769587192.168.2.4162.144.73.161

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 5, 2022 11:19:57.217582941 CEST6050653192.168.2.48.8.8.8
                                      Aug 5, 2022 11:19:57.374994040 CEST53605068.8.8.8192.168.2.4
                                      Aug 5, 2022 11:19:57.457376003 CEST6427753192.168.2.48.8.8.8
                                      Aug 5, 2022 11:19:57.477283001 CEST53642778.8.8.8192.168.2.4
                                      Aug 5, 2022 11:20:14.020828009 CEST5607653192.168.2.48.8.8.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 5, 2022 11:19:57.217582941 CEST192.168.2.48.8.8.80x5d25Standard query (0)mail.nikhillogistics.inA (IP address)IN (0x0001)
                                      Aug 5, 2022 11:19:57.457376003 CEST192.168.2.48.8.8.80x837cStandard query (0)mail.nikhillogistics.inA (IP address)IN (0x0001)
                                      Aug 5, 2022 11:20:14.020828009 CEST192.168.2.48.8.8.80x5538Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 5, 2022 11:19:26.364972115 CEST8.8.8.8192.168.2.40x449cNo error (0)windowsupdatebg.s.llnwi.net41.63.96.128A (IP address)IN (0x0001)
                                      Aug 5, 2022 11:19:26.364972115 CEST8.8.8.8192.168.2.40x449cNo error (0)windowsupdatebg.s.llnwi.net41.63.96.0A (IP address)IN (0x0001)
                                      Aug 5, 2022 11:19:57.374994040 CEST8.8.8.8192.168.2.40x5d25No error (0)mail.nikhillogistics.innikhillogistics.inCNAME (Canonical name)IN (0x0001)
                                      Aug 5, 2022 11:19:57.374994040 CEST8.8.8.8192.168.2.40x5d25No error (0)nikhillogistics.in162.144.73.161A (IP address)IN (0x0001)
                                      Aug 5, 2022 11:19:57.477283001 CEST8.8.8.8192.168.2.40x837cNo error (0)mail.nikhillogistics.innikhillogistics.inCNAME (Canonical name)IN (0x0001)
                                      Aug 5, 2022 11:19:57.477283001 CEST8.8.8.8192.168.2.40x837cNo error (0)nikhillogistics.in162.144.73.161A (IP address)IN (0x0001)
                                      Aug 5, 2022 11:20:14.041349888 CEST8.8.8.8192.168.2.40x5538No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)
                                      Aug 5, 2022 11:20:14.711277008 CEST8.8.8.8192.168.2.40xd481No error (0)windowsupdatebg.s.llnwi.net178.79.225.0A (IP address)IN (0x0001)

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Aug 5, 2022 11:19:59.697355986 CEST58749769162.144.73.161192.168.2.4220-162-144-73-161.bluehost-ob.net ESMTP Exim 4.93 #2 Fri, 05 Aug 2022 09:19:59 +0000
                                      220-We do not authorize the use of this system to transport unsolicited,
                                      220 and/or bulk e-mail.
                                      Aug 5, 2022 11:19:59.704181910 CEST49769587192.168.2.4162.144.73.161EHLO 581804
                                      Aug 5, 2022 11:20:00.260518074 CEST49769587192.168.2.4162.144.73.161EHLO 581804
                                      Aug 5, 2022 11:20:00.467394114 CEST58749769162.144.73.161192.168.2.4250-162-144-73-161.bluehost-ob.net Hello 581804 [102.129.143.3]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Aug 5, 2022 11:20:00.480840921 CEST49769587192.168.2.4162.144.73.161STARTTLS
                                      Aug 5, 2022 11:20:01.057456970 CEST49769587192.168.2.4162.144.73.161STARTTLS
                                      Aug 5, 2022 11:20:01.271528006 CEST58749769162.144.73.161192.168.2.4220 TLS go ahead

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:11:19:09
                                      Start date:05/08/2022
                                      Path:C:\Users\user\Desktop\Statement of Account.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Statement of Account.exe"
                                      Imagebase:0x3d0000
                                      File size:801280 bytes
                                      MD5 hash:75C66BDBD22E4745CF2554712C31BB9E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.279495146.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.301123592.00000000043AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:11:19:25
                                      Start date:05/08/2022
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ObhZOLODRqR.exe
                                      Imagebase:0x340000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      General

                                      Target ID:5
                                      Start time:11:19:25
                                      Start date:05/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff647620000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:6
                                      Start time:11:19:26
                                      Start date:05/08/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObhZOLODRqR" /XML "C:\Users\user\AppData\Local\Temp\tmp656A.tmp
                                      Imagebase:0x220000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:7
                                      Start time:11:19:28
                                      Start date:05/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff647620000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:8
                                      Start time:11:19:30
                                      Start date:05/08/2022
                                      Path:C:\Users\user\Desktop\Statement of Account.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\Statement of Account.exe
                                      Imagebase:0xd20000
                                      File size:801280 bytes
                                      MD5 hash:75C66BDBD22E4745CF2554712C31BB9E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000008.00000000.272952943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.501940034.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      Disassembly

                                      No disassembly