Loading ...

Play interactive tourEdit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:invoice.exe
Analysis ID:404248
MD5:1a59efb27c11d1ae0959bf6661e23538
SHA1:6c5513edcdbbec2e332601bc136c3bf293b257fd
SHA256:35a971b8e884d2d443a0d998e1f5c86cac85fe32af0eac3ba3bd518580f26678
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • invoice.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: 1A59EFB27C11D1AE0959BF6661E23538)
    • invoice.exe (PID: 6488 cmdline: C:\Users\user\Desktop\invoice.exe MD5: 1A59EFB27C11D1AE0959BF6661E23538)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "kxguy@chefoowork.comVttn8SluiOogmail.chefoowork.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.invoice.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.invoice.exe.435f638.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.invoice.exe.435f638.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.invoice.exe.435f638.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "kxguy@chefoowork.comVttn8SluiOogmail.chefoowork.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: invoice.exeReversingLabs: Detection: 17%
                  Machine Learning detection for sampleShow sources
                  Source: invoice.exeJoe Sandbox ML: detected
                  Source: 4.2.invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.4:49771 -> 67.21.94.15:587
                  Source: Joe Sandbox ViewIP Address: 67.21.94.15 67.21.94.15
                  Source: Joe Sandbox ViewASN Name: ST-BGPUS ST-BGPUS
                  Source: global trafficTCP traffic: 192.168.2.4:49771 -> 67.21.94.15:587
                  Source: unknownDNS traffic detected: queries for: mail.chefoowork.com
                  Source: invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://XMBduf.com
                  Source: invoice.exe, 00000004.00000002.914437799.0000000003214000.00000004.00000001.sdmpString found in binary or memory: http://chefoowork.com
                  Source: invoice.exe, 00000004.00000002.914459791.000000000321C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: invoice.exe, 00000004.00000002.916821425.00000000069DD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: invoice.exe, 00000004.00000002.914459791.000000000321C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: invoice.exe, 00000004.00000002.912327944.000000000117B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: invoice.exe, 00000004.00000002.914437799.0000000003214000.00000004.00000001.sdmpString found in binary or memory: http://mail.chefoowork.com
                  Source: invoice.exe, 00000004.00000002.912327944.000000000117B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: invoice.exe, 00000000.00000002.669242244.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: invoice.exe, 00000000.00000003.648358482.000000000647C000.00000004.00000001.sdmp, invoice.exe, 00000000.00000003.648325032.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: invoice.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
                  Source: invoice.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: invoice.exe, 00000000.00000003.649460358.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/G
                  Source: invoice.exe, 00000000.00000003.650618133.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: invoice.exe, 00000000.00000003.650651642.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx
                  Source: invoice.exe, 00000000.00000003.650506259.0000000006484000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: invoice.exe, 00000000.00000003.650173899.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlx
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: invoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                  Source: invoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commva
                  Source: invoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comtl
                  Source: invoice.exe, 00000000.00000003.645807019.000000000648B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: invoice.exe, 00000000.00000003.645760203.000000000648B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic3
                  Source: invoice.exe, 00000000.00000003.645760203.000000000648B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnO
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: invoice.exe, 00000000.00000003.647422674.0000000006473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: invoice.exe, 00000000.00000003.652670720.000000000647C000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: invoice.exe, 00000000.00000003.652670720.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmWl
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: invoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-i
                  Source: invoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: invoice.exe, 00000000.00000003.648325032.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-e
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: invoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krH
                  Source: invoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
                  Source: invoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krormal
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: invoice.exe, 00000000.00000003.645972306.000000000648B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com:
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: invoice.exe, 00000000.00000003.651230932.000000000647C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: invoice.exe, 00000000.00000003.647562258.0000000006473000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.4k
                  Source: invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://ynmdZVkfPM0WUw.com
                  Source: invoice.exe, 00000004.00000002.912327944.000000000117B000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: invoice.exe, 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmp, invoice.exe, 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: invoice.exe
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_030DC508
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_030D9990
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BA818
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BBB38
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094B8A68
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094B0040
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BB3D0
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BC4F8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BF9C8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BF9B8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BA8DA
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_094BA8F5
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_062D0006
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_062D0040
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F44000
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F411DA
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F46D78
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F40EB8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F4D258
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F4ABD0
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F4B728
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F485C8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_00F48608
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_01324800
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_0132D800
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_01323EAA
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_01324770
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_0132C770
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_013247F2
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_06066C68
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_060694F8
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_06067538
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_06066920
                  Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
                  Source: invoice.exe, 00000000.00000002.669279978.0000000003297000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs invoice.exe
                  Source: invoice.exe, 00000000.00000002.669279978.0000000003297000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecnGfukCpwgWzTHdgcfRSzDlnINNQxEa.exe4 vs invoice.exe
                  Source: invoice.exe, 00000000.00000000.642709609.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRijndaelManagedTransform.exeB vs invoice.exe
                  Source: invoice.exe, 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs invoice.exe
                  Source: invoice.exe, 00000000.00000002.676661632.00000000063E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs invoice.exe
                  Source: invoice.exe, 00000000.00000002.679786339.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice.exe
                  Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
                  Source: invoice.exe, 00000004.00000000.667219984.0000000000A82000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRijndaelManagedTransform.exeB vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.912231991.000000000114A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.912778657.00000000014D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.912754305.00000000014C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.912719072.00000000014B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.911180484.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs invoice.exe
                  Source: invoice.exe, 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecnGfukCpwgWzTHdgcfRSzDlnINNQxEa.exe4 vs invoice.exe
                  Source: invoice.exeBinary or memory string: OriginalFilenameRijndaelManagedTransform.exeB vs invoice.exe
                  Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.logJump to behavior
                  Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                  Source: invoice.exeReversingLabs: Detection: 17%
                  Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
                  Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_0606A61F push es; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.62508857658
                  Source: C:\Users\user\Desktop\invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6980, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\invoice.exeWindow / User API: threadDelayed 1375
                  Source: C:\Users\user\Desktop\invoice.exeWindow / User API: threadDelayed 8478
                  Source: C:\Users\user\Desktop\invoice.exe TID: 7016Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Users\user\Desktop\invoice.exe TID: 6984Thread sleep time: -100497s >= -30000s
                  Source: C:\Users\user\Desktop\invoice.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\invoice.exe TID: 6928Thread sleep time: -16602069666338586s >= -30000s
                  Source: C:\Users\user\Desktop\invoice.exe TID: 6644Thread sleep count: 1375 > 30
                  Source: C:\Users\user\Desktop\invoice.exe TID: 6644Thread sleep count: 8478 > 30
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 100497
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: invoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: invoice.exe, 00000004.00000002.912327944.000000000117B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\invoice.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_0606C6F8 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
                  Source: C:\Users\user\Desktop\invoice.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\invoice.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\invoice.exeMemory written: C:\Users\user\Desktop\invoice.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
                  Source: invoice.exe, 00000004.00000002.913031436.0000000001920000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: invoice.exe, 00000004.00000002.913031436.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: invoice.exe, 00000004.00000002.913031436.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: invoice.exe, 00000004.00000002.913031436.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Users\user\Desktop\invoice.exe VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Users\user\Desktop\invoice.exe VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\invoice.exeCode function: 4_2_0606516C GetUserNameW,
                  Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6980, type: MEMORY
                  Source: Yara matchFile source: 4.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.invoice.exe.435f638.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.invoice.exe.435f638.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6488, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6980, type: MEMORY
                  Source: Yara matchFile source: 4.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.invoice.exe.435f638.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.invoice.exe.435f638.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery114Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  invoice.exe17%ReversingLabsByteCode-MSIL.Packed.Generic
                  invoice.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.2.invoice.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  chefoowork.com0%VirustotalBrowse
                  mail.chefoowork.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.tiro.com:0%VirustotalBrowse
                  http://www.tiro.com:0%Avira URL Cloudsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.goodfont.co.kr-i0%Avira URL Cloudsafe
                  http://www.fontbureau.commva0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://XMBduf.com0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://chefoowork.com0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.fontbureau.comgrita0%URL Reputationsafe
                  http://www.fontbureau.comgrita0%URL Reputationsafe
                  http://www.fontbureau.comgrita0%URL Reputationsafe
                  http://www.fonts.comnO0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.churchsw.org/church-projector-project0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.krH0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.sandoll.co.krormal0%Avira URL Cloudsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://ynmdZVkfPM0WUw.com0%Avira URL Cloudsafe
                  http://www.fonts.comic30%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cno.4k0%Avira URL Cloudsafe
                  http://www.churchsw.org/repository/Bibles/0%Avira URL Cloudsafe
                  http://mail.chefoowork.com0%Avira URL Cloudsafe
                  http://www.sandoll.co.krN.TTF0%Avira URL Cloudsafe
                  http://www.goodfont.co.krF0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htmWl0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.comtl0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.sakkal.com-e0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  chefoowork.com
                  67.21.94.15
                  truetrueunknown
                  mail.chefoowork.com
                  unknown
                  unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.tiro.com:invoice.exe, 00000000.00000003.645972306.000000000648B000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://127.0.0.1:HTTP/1.1invoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.fontbureau.com/designersGinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                    high
                    http://www.goodfont.co.kr-iinvoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.commvainvoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designers/?invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/bTheinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://XMBduf.cominvoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designers?invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                        high
                        http://www.tiro.cominvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://chefoowork.cominvoice.exe, 00000004.00000002.914437799.0000000003214000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designersinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                          high
                          http://www.goodfont.co.krinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssinvoice.exe, 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/Ginvoice.exe, 00000000.00000003.649460358.000000000647C000.00000004.00000001.sdmpfalse
                              high
                              http://www.sajatypeworks.cominvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netDinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/cTheinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.galapagosdesign.com/staff/dennis.htminvoice.exe, 00000000.00000003.652670720.000000000647C000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://fontfabrik.cominvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.comgritainvoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fonts.comnOinvoice.exe, 00000000.00000003.645760203.000000000648B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.galapagosdesign.com/DPleaseinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.ascendercorp.com/typedesigners.htmlinvoice.exe, 00000000.00000003.648358482.000000000647C000.00000004.00000001.sdmp, invoice.exe, 00000000.00000003.648325032.000000000647C000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.churchsw.org/church-projector-projectinvoice.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fonts.cominvoice.exe, 00000000.00000003.645807019.000000000648B000.00000004.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.krinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sandoll.co.krHinvoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.urwpp.deDPleaseinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sandoll.co.krormalinvoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.urwpp.deinvoice.exe, 00000000.00000003.651230932.000000000647C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.zhongyicts.com.cninvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinvoice.exe, 00000000.00000002.669242244.0000000003251000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.sakkal.cominvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipinvoice.exe, 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmp, invoice.exe, 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.apache.org/licenses/LICENSE-2.0invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.fontbureau.cominvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                      high
                                      http://DynDns.comDynDNSinvoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://sectigo.com/CPS0invoice.exe, 00000004.00000002.912327944.000000000117B000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hainvoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://ynmdZVkfPM0WUw.cominvoice.exe, 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fonts.comic3invoice.exe, 00000000.00000003.645760203.000000000648B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.zhongyicts.com.cno.4kinvoice.exe, 00000000.00000003.647562258.0000000006473000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.fontbureau.com/designers/cabarga.htmlxinvoice.exe, 00000000.00000003.650651642.000000000647C000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.churchsw.org/repository/Bibles/invoice.exefalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://mail.chefoowork.cominvoice.exe, 00000004.00000002.914437799.0000000003214000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.sandoll.co.krN.TTFinvoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.goodfont.co.krFinvoice.exe, 00000000.00000003.646701127.0000000006480000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.carterandcone.comlinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cn/invoice.exe, 00000000.00000003.647422674.0000000006473000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNinvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.galapagosdesign.com/staff/dennis.htmWlinvoice.exe, 00000000.00000003.652670720.000000000647C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.founder.com.cn/cninvoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlinvoice.exe, 00000000.00000003.650506259.0000000006484000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.fontbureau.com/designers/cabarga.htmlinvoice.exe, 00000000.00000003.650618133.000000000647C000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comtlinvoice.exe, 00000000.00000002.669124554.0000000001910000.00000004.00000040.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers8invoice.exe, 00000000.00000002.677620808.0000000007702000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.com/designers/frere-user.htmlxinvoice.exe, 00000000.00000003.650173899.000000000647C000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.sakkal.com-einvoice.exe, 00000000.00000003.648325032.000000000647C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  67.21.94.15
                                                  chefoowork.comUnited States
                                                  46844ST-BGPUStrue

                                                  General Information

                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                  Analysis ID:404248
                                                  Start date:04.05.2021
                                                  Start time:20:46:16
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 8s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:invoice.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:20
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                                  EGA Information:Failed
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 2.20.157.220, 168.61.161.212, 20.50.102.62, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 20.49.157.6
                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  20:47:12API Interceptor749x Sleep call for process: invoice.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  67.21.94.15ATuRNgegI7kl7Ua.exeGet hashmaliciousBrowse
                                                    Vcv22W33OiwhO12.exeGet hashmaliciousBrowse
                                                      Catalog.exeGet hashmaliciousBrowse
                                                        5401628864_AWB_28002_2021-17-03 2.exeGet hashmaliciousBrowse
                                                          AVISO CREDITO PAGPROV.exeGet hashmaliciousBrowse
                                                            7070355.exeGet hashmaliciousBrowse
                                                              OC_402981675.exeGet hashmaliciousBrowse
                                                                OC_007943234.exeGet hashmaliciousBrowse
                                                                  QIznD4DaCkKgV4J.exeGet hashmaliciousBrowse
                                                                    U6ODBh62dJ0IYCK.exeGet hashmaliciousBrowse
                                                                      OC_8403754263563.exeGet hashmaliciousBrowse
                                                                        jc7xI20UOg.exeGet hashmaliciousBrowse
                                                                          xIpnl7dBEb.exeGet hashmaliciousBrowse
                                                                            rm1E9ZjuNd.exeGet hashmaliciousBrowse
                                                                              DHL Shipment Info.exeGet hashmaliciousBrowse
                                                                                RFQ.4414_122.exeGet hashmaliciousBrowse
                                                                                  GimRyEHi4ONqTEe.exeGet hashmaliciousBrowse
                                                                                    PO_2002837727_288772.exeGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      ST-BGPUSATuRNgegI7kl7Ua.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.15
                                                                                      Vcv22W33OiwhO12.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.15
                                                                                      Catalog.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.15
                                                                                      SecuriteInfo.com.Trojan.DownloaderNET.160.29545.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.4
                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                      • 204.188.203.155
                                                                                      RCS76393.exeGet hashmaliciousBrowse
                                                                                      • 104.160.174.177
                                                                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                      • 64.32.22.102
                                                                                      UTcQK0heAfGWTLw.exeGet hashmaliciousBrowse
                                                                                      • 64.32.22.102
                                                                                      RFQ # 1014397402856.pdf.exeGet hashmaliciousBrowse
                                                                                      • 204.188.203.155
                                                                                      BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                                      • 205.144.171.210
                                                                                      GJK-KAOHSIUNG-2101.xlsxGet hashmaliciousBrowse
                                                                                      • 205.144.171.138
                                                                                      New Purchase Order.exeGet hashmaliciousBrowse
                                                                                      • 204.188.203.155
                                                                                      9311-32400.pdf.exeGet hashmaliciousBrowse
                                                                                      • 45.58.190.82
                                                                                      ssyrNaO6AP.dllGet hashmaliciousBrowse
                                                                                      • 70.39.99.196
                                                                                      5401628864_AWB_28002_2021-17-03 2.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.15
                                                                                      SPmG3TLdax.exeGet hashmaliciousBrowse
                                                                                      • 204.188.203.155
                                                                                      RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                                      • 64.32.22.102
                                                                                      Doc_3847468364836483638463,pdf.exeGet hashmaliciousBrowse
                                                                                      • 170.178.168.203
                                                                                      gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                                      • 104.160.174.169
                                                                                      DHL.INFORMATION.TRACKING.exeGet hashmaliciousBrowse
                                                                                      • 67.21.94.4

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log
                                                                                      Process:C:\Users\user\Desktop\invoice.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1314
                                                                                      Entropy (8bit):5.350128552078965
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.612907586857075
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      File name:invoice.exe
                                                                                      File size:657408
                                                                                      MD5:1a59efb27c11d1ae0959bf6661e23538
                                                                                      SHA1:6c5513edcdbbec2e332601bc136c3bf293b257fd
                                                                                      SHA256:35a971b8e884d2d443a0d998e1f5c86cac85fe32af0eac3ba3bd518580f26678
                                                                                      SHA512:7edebf42e9c80b7de2b6e31bf6d997ac7bcb3b64aff48119a6eb6287cb43f3b810dd80238f39c1b83d64ab4dfce6bf9757b349d9255a890c06eeb588dc6b3cc8
                                                                                      SSDEEP:12288:NGgJvG5+IQEOKMrkXAEcapHnZWa7lDrGeZ7J3UvnjK:MgJvDTEOKNXFpEA7Jk
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b.... ... ....@.. .......................`............@................................

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4a1d62
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x60912EF9 [Tue May 4 11:24:41 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa1d100x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x424.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x9fd680x9fe00False0.795957229769data7.62508857658IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xa20000x4240x600False0.289713541667data2.42756322043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xa40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0xa20580x3c8data

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      Translation0x0000 0x04b0
                                                                                      LegalCopyrightCopyright Felix Jeyareuben 2012
                                                                                      Assembly Version2.0.0.0
                                                                                      InternalNameRijndaelManagedTransform.exe
                                                                                      FileVersion2.0
                                                                                      CompanyNamewww.churchsw.org
                                                                                      LegalTrademarksChurch Software
                                                                                      Comments
                                                                                      ProductNameChurch Projector
                                                                                      ProductVersion2.0
                                                                                      FileDescriptionChurch Projector
                                                                                      OriginalFilenameRijndaelManagedTransform.exe

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      May 4, 2021 20:48:55.886637926 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:56.079209089 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:56.079359055 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:56.438600063 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:56.439112902 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:56.631918907 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:56.632364988 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:56.827056885 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:56.874015093 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:56.903604984 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.106219053 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.106261969 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.106272936 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.106292963 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.106308937 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.106417894 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.106499910 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.111130953 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.148775101 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.342194080 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.389724016 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.683432102 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:57.877511978 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:57.878709078 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:58.071715117 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:58.072448015 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:58.306613922 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:58.501542091 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:58.502100945 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:58.693665028 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:58.694238901 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:58.925160885 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:58.925677061 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:59.117305994 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.119545937 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:59.119587898 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:59.119761944 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:59.119770050 CEST49771587192.168.2.467.21.94.15
                                                                                      May 4, 2021 20:48:59.313139915 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.313165903 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.313178062 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.313189030 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.319694996 CEST5874977167.21.94.15192.168.2.4
                                                                                      May 4, 2021 20:48:59.374453068 CEST49771587192.168.2.467.21.94.15

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      May 4, 2021 20:46:55.308562040 CEST4971453192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:46:55.357300997 CEST53497148.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:46:56.418832064 CEST5802853192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:46:56.478195906 CEST53580288.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:46:57.204322100 CEST5309753192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:46:57.261778116 CEST53530978.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:46:57.664890051 CEST4925753192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:46:57.733747005 CEST53492578.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:46:58.863512039 CEST6238953192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:46:58.913793087 CEST53623898.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:00.198642969 CEST4991053192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:00.250102997 CEST53499108.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:01.562326908 CEST5585453192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:01.614088058 CEST53558548.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:02.595196962 CEST6454953192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:02.643806934 CEST53645498.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:03.724561930 CEST6315353192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:03.773454905 CEST53631538.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:04.540361881 CEST5299153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:04.591876984 CEST53529918.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:05.475644112 CEST5370053192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:05.534707069 CEST53537008.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:06.600827932 CEST5172653192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:06.663393974 CEST53517268.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:07.509717941 CEST5679453192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:07.558408022 CEST53567948.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:08.445209026 CEST5653453192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:08.493815899 CEST53565348.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:09.325426102 CEST5662753192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:09.376822948 CEST53566278.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:10.308964968 CEST5662153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:10.357498884 CEST53566218.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:11.503861904 CEST6311653192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:11.554511070 CEST53631168.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:12.633982897 CEST6407853192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:12.682523966 CEST53640788.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:13.799525023 CEST6480153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:13.849663019 CEST53648018.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:27.419760942 CEST6172153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:27.469161034 CEST53617218.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:31.472867966 CEST5125553192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:31.535389900 CEST53512558.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:45.299133062 CEST6152253192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:45.420372009 CEST53615228.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:46.005215883 CEST5233753192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:46.302139997 CEST53523378.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:46.897455931 CEST5504653192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:46.954340935 CEST53550468.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:47.068720102 CEST4961253192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:47.126574039 CEST53496128.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:47.382806063 CEST4928553192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:47.592140913 CEST53492858.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:48.278194904 CEST5060153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:48.330339909 CEST53506018.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:48.970706940 CEST6087553192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:49.030683041 CEST53608758.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:49.419503927 CEST5644853192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:49.479090929 CEST53564488.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:49.534406900 CEST5917253192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:49.591427088 CEST53591728.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:50.654434919 CEST6242053192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:50.713545084 CEST53624208.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:51.629568100 CEST6057953192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:51.678473949 CEST53605798.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:47:52.210251093 CEST5018353192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:47:52.261642933 CEST53501838.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:01.715611935 CEST6153153192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:01.772701979 CEST53615318.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:02.103682041 CEST4922853192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:02.162940025 CEST53492288.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:05.248570919 CEST5979453192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:05.307259083 CEST53597948.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:36.449769020 CEST5591653192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:36.499744892 CEST53559168.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:38.232959986 CEST5275253192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:38.292238951 CEST53527528.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:55.333537102 CEST6054253192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:55.543627024 CEST53605428.8.8.8192.168.2.4
                                                                                      May 4, 2021 20:48:55.554277897 CEST6068953192.168.2.48.8.8.8
                                                                                      May 4, 2021 20:48:55.766128063 CEST53606898.8.8.8192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      May 4, 2021 20:48:55.333537102 CEST192.168.2.48.8.8.80xa05bStandard query (0)mail.chefoowork.comA (IP address)IN (0x0001)
                                                                                      May 4, 2021 20:48:55.554277897 CEST192.168.2.48.8.8.80xb24eStandard query (0)mail.chefoowork.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      May 4, 2021 20:48:55.543627024 CEST8.8.8.8192.168.2.40xa05bNo error (0)mail.chefoowork.comchefoowork.comCNAME (Canonical name)IN (0x0001)
                                                                                      May 4, 2021 20:48:55.543627024 CEST8.8.8.8192.168.2.40xa05bNo error (0)chefoowork.com67.21.94.15A (IP address)IN (0x0001)
                                                                                      May 4, 2021 20:48:55.766128063 CEST8.8.8.8192.168.2.40xb24eNo error (0)mail.chefoowork.comchefoowork.comCNAME (Canonical name)IN (0x0001)
                                                                                      May 4, 2021 20:48:55.766128063 CEST8.8.8.8192.168.2.40xb24eNo error (0)chefoowork.com67.21.94.15A (IP address)IN (0x0001)

                                                                                      SMTP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      May 4, 2021 20:48:56.438600063 CEST5874977167.21.94.15192.168.2.4220-web2.changeip.com ESMTP Exim 4.94 #2 Tue, 04 May 2021 14:48:55 -0400
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      May 4, 2021 20:48:56.439112902 CEST49771587192.168.2.467.21.94.15EHLO 123716
                                                                                      May 4, 2021 20:48:56.631918907 CEST5874977167.21.94.15192.168.2.4250-web2.changeip.com Hello 123716 [84.17.52.3]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-X_PIPE_CONNECT
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      May 4, 2021 20:48:56.632364988 CEST49771587192.168.2.467.21.94.15STARTTLS
                                                                                      May 4, 2021 20:48:56.827056885 CEST5874977167.21.94.15192.168.2.4220 TLS go ahead

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:20:47:02
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Users\user\Desktop\invoice.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\invoice.exe'
                                                                                      Imagebase:0xe00000
                                                                                      File size:657408 bytes
                                                                                      MD5 hash:1A59EFB27C11D1AE0959BF6661E23538
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.669341704.00000000032C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.670894722.0000000004259000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      General

                                                                                      Start time:20:47:13
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Users\user\Desktop\invoice.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\invoice.exe
                                                                                      Imagebase:0xa80000
                                                                                      File size:657408 bytes
                                                                                      MD5 hash:1A59EFB27C11D1AE0959BF6661E23538
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.913638464.0000000002EB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.910976432.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >