Loading ...

Play interactive tourEdit tour

Analysis Report INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:289643
MD5:f547b51cdf7d2d143b1cbe47d493f6b0
SHA1:013fc6ce63a18928d1176d56d9bf713e9673ac32
SHA256:231cbb65ca53f39122fe422f9eecfd39867bac941d378aeb6502415fd83b4ea5
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • INVOICE.exe (PID: 5968 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: F547B51CDF7D2D143B1CBE47D493F6B0)
    • INVOICE.exe (PID: 6584 cmdline: {path} MD5: F547B51CDF7D2D143B1CBE47D493F6B0)
    • INVOICE.exe (PID: 3028 cmdline: {path} MD5: F547B51CDF7D2D143B1CBE47D493F6B0)
    • INVOICE.exe (PID: 4864 cmdline: {path} MD5: F547B51CDF7D2D143B1CBE47D493F6B0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "TKYBVByu", "URL: ": "http://5cDtUxquHZNdyK6.net", "To: ": "bruceedmund@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "vDYnJ8", "From: ": "bruceedmund@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.622058180.0000000002ECE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.622058180.0000000002ECE000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.620264584.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.393123904.0000000003935000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.INVOICE.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: INVOICE.exe.4864.7.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "TKYBVByu", "URL: ": "http://5cDtUxquHZNdyK6.net", "To: ": "bruceedmund@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "vDYnJ8", "From: ": "bruceedmund@yandex.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: INVOICE.exeVirustotal: Detection: 29%Perma Link
              Source: INVOICE.exeReversingLabs: Detection: 56%
              Machine Learning detection for sampleShow sources
              Source: INVOICE.exeJoe Sandbox ML: detected
              Source: 7.2.INVOICE.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then push dword ptr [ebp-24h]
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then xor edx, edx
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then push dword ptr [ebp-20h]
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: global trafficTCP traffic: 192.168.2.3:49758 -> 77.88.21.158:587
              Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
              Source: global trafficTCP traffic: 192.168.2.3:49758 -> 77.88.21.158:587
              Source: unknownDNS traffic detected: queries for: smtp.yandex.com
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: INVOICE.exe, 00000007.00000002.622245127.0000000002F24000.00000004.00000001.sdmp, INVOICE.exe, 00000007.00000002.622467643.0000000002F74000.00000004.00000001.sdmpString found in binary or memory: http://5cDtUxquHZNdyK6.net
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: http://BWZzTC.com
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: INVOICE.exe, 00000007.00000003.581080651.0000000001355000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: INVOICE.exe, 00000007.00000003.581080651.0000000001355000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: INVOICE.exe, 00000007.00000002.622333398.0000000002F4A000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: INVOICE.exe, 00000001.00000003.368561591.00000000050A9000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: INVOICE.exe, 00000001.00000003.368978459.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: INVOICE.exe, 00000001.00000003.368978459.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comai
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: INVOICE.exe, 00000001.00000003.368978459.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
              Source: INVOICE.exe, 00000001.00000003.368978459.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue;
              Source: INVOICE.exe, 00000007.00000002.622391675.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: INVOICE.exe, 00000001.00000003.370672614.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
              Source: INVOICE.exe, 00000001.00000003.370640752.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: INVOICE.exe, 00000001.00000003.371306194.00000000050DD000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: INVOICE.exe, 00000001.00000003.375283234.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersa
              Source: INVOICE.exe, 00000001.00000003.370731195.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
              Source: INVOICE.exe, 00000001.00000003.375283234.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
              Source: INVOICE.exe, 00000001.00000003.370918970.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
              Source: INVOICE.exe, 00000001.00000003.370945621.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersy
              Source: INVOICE.exe, 00000001.00000003.371899529.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
              Source: INVOICE.exe, 00000001.00000002.385782708.0000000000D48000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comionf
              Source: INVOICE.exe, 00000001.00000002.385782708.0000000000D48000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comlt
              Source: INVOICE.exe, 00000001.00000002.385782708.0000000000D48000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: INVOICE.exe, 00000001.00000002.385782708.0000000000D48000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoX
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: INVOICE.exe, 00000001.00000002.385770762.0000000000D40000.00000004.00000040.sdmpString found in binary or memory: http://www.fonts.comCH
              Source: INVOICE.exe, 00000001.00000003.368058494.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: INVOICE.exe, 00000001.00000003.368019662.00000000050A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhtq_
              Source: INVOICE.exe, 00000001.00000003.367995972.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnlo
              Source: INVOICE.exe, 00000001.00000003.368058494.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmay
              Source: INVOICE.exe, 00000001.00000003.367995972.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoft)
              Source: INVOICE.exe, 00000001.00000003.368058494.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnthe
              Source: INVOICE.exe, 00000001.00000003.373435770.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: INVOICE.exe, 00000001.00000003.370979200.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: INVOICE.exe, 00000001.00000003.367086181.00000000050C3000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: INVOICE.exe, 00000001.00000003.367086181.00000000050C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
              Source: INVOICE.exe, 00000001.00000003.366854080.00000000050C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comy
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: INVOICE.exe, 00000001.00000003.369514493.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: INVOICE.exe, 00000001.00000003.369051971.00000000050B1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comWu_
              Source: INVOICE.exe, 00000001.00000003.369051971.00000000050B1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: INVOICE.exe, 00000001.00000003.370549902.00000000050B2000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000003.372172798.00000000050B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: INVOICE.exe, 00000001.00000003.370549902.00000000050B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de;u
              Source: INVOICE.exe, 00000001.00000002.396383949.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: INVOICE.exe, 00000001.00000003.370549902.00000000050B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dek
              Source: INVOICE.exe, 00000001.00000003.370549902.00000000050B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deras
              Source: INVOICE.exe, 00000001.00000003.368882412.00000000050B1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: INVOICE.exe, 00000001.00000003.368803403.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.g
              Source: INVOICE.exe, 00000001.00000003.368803403.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue/
              Source: INVOICE.exe, 00000001.00000003.368803403.00000000050DD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnvai
              Source: INVOICE.exe, 00000007.00000003.581080651.0000000001355000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: INVOICE.exe, 00000007.00000003.581080651.0000000001355000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: INVOICE.exe, 00000001.00000002.393123904.0000000003935000.00000004.00000001.sdmp, INVOICE.exe, 00000007.00000002.620264584.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: INVOICE.exe, 00000007.00000003.581080651.0000000001355000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
              Source: INVOICE.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: INVOICE.exe, 00000007.00000002.621822929.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 7.2.INVOICE.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDDB51F18u002d8E98u002d4061u002dB2FCu002d7600967236BDu007d/u0039F8314B1u002d150Au002d4ECDu002d931Eu002dD7D051D38F72.csLarge array initialization: .cctor: array initializer size 11984
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: INVOICE.exe
              PE file contains section with special charsShow sources
              Source: INVOICE.exeStatic PE information: section name: #Vmrx '
              PE file has nameless sectionsShow sources
              Source: INVOICE.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04F40878
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04F40040
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04F31A36
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B104F8
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B1BCC0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B12D81
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B11978
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B12540
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B14680
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16E40
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B13760
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B12498
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16098
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B178FE
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B1A8D8
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16418
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16C50
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16C41
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B15840
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B15598
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B14580
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B15588
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B169F0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B169E0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B16128
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B167D0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B167C0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B1AF18
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BABD14
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BACCB8
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BAAC90
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BAAC8A
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BA8C34
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 5_2_003AEC8A
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 6_2_002CEC8A
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 7_2_00B7EC8A
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 7_2_00402CF0
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 7_2_01214428
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 7_2_01217EC8
              Source: INVOICE.exeBinary or memory string: OriginalFilename vs INVOICE.exe
              Source: INVOICE.exe, 00000001.00000002.396311762.0000000005C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INVOICE.exe
              Source: INVOICE.exe, 00000001.00000002.386002403.0000000002691000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs INVOICE.exe
              Source: INVOICE.exe, 00000001.00000000.356197892.00000000002AA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameERc.exe. vs INVOICE.exe
              Source: INVOICE.exe, 00000001.00000002.392864137.00000000036EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs INVOICE.exe
              Source: INVOICE.exe, 00000001.00000002.387420353.0000000002BCF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameITFLqSyckBbDdPBqxdSnJXXgZCufNHmtdpk.exe4 vs INVOICE.exe
              Source: INVOICE.exe, 00000005.00000002.381685038.00000000003CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameERc.exe. vs INVOICE.exe
              Source: INVOICE.exe, 00000006.00000000.382426789.00000000002EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameERc.exe. vs INVOICE.exe
              Source: INVOICE.exeBinary or memory string: OriginalFilename vs INVOICE.exe
              Source: INVOICE.exe, 00000007.00000002.620709445.0000000000F37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs INVOICE.exe
              Source: INVOICE.exe, 00000007.00000002.620662081.0000000000B9A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameERc.exe. vs INVOICE.exe
              Source: INVOICE.exe, 00000007.00000002.621300850.0000000001220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INVOICE.exe
              Source: INVOICE.exe, 00000007.00000002.621432362.00000000012CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE.exe
              Source: INVOICE.exe, 00000007.00000002.620264584.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameITFLqSyckBbDdPBqxdSnJXXgZCufNHmtdpk.exe4 vs INVOICE.exe
              Source: INVOICE.exeBinary or memory string: OriginalFilenameERc.exe. vs INVOICE.exe
              Source: INVOICE.exeStatic PE information: Section: #Vmrx ' ZLIB complexity 1.00032167027
              Source: 7.2.INVOICE.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 7.2.INVOICE.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@2/1
              Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.logJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: INVOICE.exeVirustotal: Detection: 29%
              Source: INVOICE.exeReversingLabs: Detection: 56%
              Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Users\user\Desktop\INVOICE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\INVOICE.exeUnpacked PE file: 1.2.INVOICE.exe.200000.0.unpack #Vmrx ':EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
              Source: INVOICE.exeStatic PE information: section name: #Vmrx '
              Source: INVOICE.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0027537B push ss; ret
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_002747AA push ebx; iretd
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_002778C2 push edx; iretd
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04F368EC push cs; ret
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_04BAB600 pushad ; retf
              Source: initial sampleStatic PE information: section name: #Vmrx ' entropy: 7.9996742989
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 5968, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: threadDelayed 783
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 5948Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 4776Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6868Thread sleep count: 783 > 30
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -59500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -59282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -58876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -58188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -58000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -56688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -113000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -56000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -111188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -83064s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -54500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -81423s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -53782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -53376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -79782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -79500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -52688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -52500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -52282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -78141s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -51876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -51376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -51188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -76500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -76173s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -50500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -50282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -50094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -49688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -74250s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -49188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -49000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -48594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -48094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -47500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -47282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -47000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -46782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -46188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -46000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -45500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -45094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -44876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -44594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -44376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -44000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -43282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -42688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -42500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -41594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -41376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -40876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -40688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -60750s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -39188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -58500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -38688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -56250s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -37282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -36688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -36000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -35500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -34782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -32876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -32688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -32188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -31782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -59594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -87750s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -86391s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -57376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -56282s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -55188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -55000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -54094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -53500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -49094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -48000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -47094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -46500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -45594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -43594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -43000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -42094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -41876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -41000s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -40094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -39500s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -38594s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -37876s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -37688s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -35188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -33188s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -30782s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -30376s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6872Thread sleep time: -44094s >= -30000s
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\INVOICE.exeLast function: Thread delayed
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: INVOICE.exe, 00000001.00000002.392790260.0000000003073000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: INVOICE.exe, 00000007.00000002.626013933.00000000063CC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information queried: ProcessInformation

              Anti Debugging:

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B11758 CheckRemoteDebuggerPresent,
              Source: C:\Users\user\Desktop\INVOICE.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\INVOICE.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\INVOICE.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\INVOICE.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 7_2_012127E8 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\INVOICE.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\INVOICE.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\INVOICE.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\INVOICE.exeMemory written: C:\Users\user\Desktop\INVOICE.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe {path}
              Source: INVOICE.exe, 00000007.00000002.621763183.0000000001930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: INVOICE.exe, 00000007.00000002.621763183.0000000001930000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
              Source: INVOICE.exe, 00000007.00000002.621763183.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: INVOICE.exe, 00000007.00000002.621763183.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation