Loading ...

Play interactive tourEdit tour

Analysis Report Proforma invoice.exe

Overview

General Information

Sample Name:Proforma invoice.exe
Analysis ID:432701
MD5:f21a47403b0e52b1b4abe5e55a5cb719
SHA1:4a61f9e71430e8171de1953ee1655443e661a626
SHA256:4afda0db963cde192e39839e8684735c5f1a229ffbbd5674479845959d76ca86
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Proforma invoice.exe (PID: 4824 cmdline: 'C:\Users\user\Desktop\Proforma invoice.exe' MD5: F21A47403B0E52B1B4ABE5E55A5CB719)
    • schtasks.exe (PID: 3544 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1760 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • newapp.exe (PID: 5824 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • newapp.exe (PID: 4588 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "aaspa@vivaldi.net", "Password": "67968664JeBlachqwin", "Host": "smtp.vivaldi.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Proforma invoice.exe.da112b8.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Proforma invoice.exe.da112b8.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.Proforma invoice.exe.da112b8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.Proforma invoice.exe.da112b8.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    15.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "aaspa@vivaldi.net", "Password": "67968664JeBlachqwin", "Host": "smtp.vivaldi.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeReversingLabs: Detection: 41%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Proforma invoice.exeVirustotal: Detection: 29%Perma Link
                      Source: Proforma invoice.exeReversingLabs: Detection: 41%
                      Source: 15.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.Proforma invoice.exe.810000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack
                      Source: Proforma invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Proforma invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb source: newapp.exe, newapp.exe.15.dr
                      Source: Binary string: mscorrc.pdb source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmp
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://sDFZcX.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Proforma invoice.exe, 00000001.00000003.209966123.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: Proforma invoice.exe, 00000001.00000003.209907393.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueT
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Proforma invoice.exe, 00000001.00000003.212080424.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Proforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Proforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlj
                      Source: Proforma invoice.exe, 00000001.00000003.212807113.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Proforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/l
                      Source: Proforma invoice.exe, 00000001.00000003.212393462.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers4
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Proforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com:
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF1
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comV
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213749822.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: Proforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomtV
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: Proforma invoice.exe, 00000001.00000003.213054179.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd:
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: Proforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiva
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commito_
                      Source: Proforma invoice.exe, 00000001.00000003.212267014.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtV
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueedI
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Proforma invoice.exe, 00000001.00000003.209412965.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Proforma invoice.exe, 00000001.00000003.208978324.00000000056BF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnR(2
                      Source: Proforma invoice.exe, 00000001.00000003.216206445.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.215346137.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Proforma invoice.exe, 00000001.00000003.215304282.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/v
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                      Source: Proforma invoice.exe, 00000001.00000003.210641837.0000000005698000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
                      Source: Proforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sNT
                      Source: Proforma invoice.exe, 00000001.00000003.210220551.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sRA
                      Source: Proforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/su1
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: Proforma invoice.exe, 00000001.00000003.220603699.00000000056C8000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.b7
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Proforma invoice.exe, 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, RegSvcs.exe, 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Proforma invoice.exe, 00000001.00000002.314828017.000000000101A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b05A5ADEFu002d639Cu002d4893u002dBC8Bu002d652238502014u007d/u0033641B4B2u002dA8E7u002d4271u002dA8F2u002dBFB87CA30B05.csLarge array initialization: .cctor: array initializer size 11751
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b05A5ADEFu002d639Cu002d4893u002dBC8Bu002d652238502014u007d/u0033641B4B2u002dA8E7u002d4271u002dA8F2u002dBFB87CA30B05.csLarge array initialization: .cctor: array initializer size 11751
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Proforma invoice.exe
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFECE81_2_00FFECE8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC1F01_2_00FFC1F0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC5701_2_00FFC570
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF8A601_2_00FF8A60
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFCBF81_2_00FFCBF8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF87C81_2_00FF87C8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF2F901_2_00FF2F90
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFFB801_2_00FFFB80
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF27701_2_00FF2770
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFE3681_2_00FFE368
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFDB601_2_00FFDB60
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF00F11_2_00FF00F1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF54A81_2_00FF54A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF54991_2_00FF5499
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF90501_2_00FF9050
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFD0381_2_00FFD038
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF01001_2_00FF0100
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC2901_2_00FFC290
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFE7B81_2_00FFE7B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF2F801_2_00FF2F80
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076D781_2_07076D78
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070757B81_2_070757B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076FB81_2_07076FB8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076A381_2_07076A38
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070740601_2_07074060
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070760B81_2_070760B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071EE01_2_07071EE0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_0707452C1_2_0707452C
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071D301_2_07071D30
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071D401_2_07071D40
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070709781_2_07070978
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070709881_2_07070988
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070757A81_2_070757A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070759DF1_2_070759DF
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070759F01_2_070759F0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070734011_2_07073401
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070734201_2_07073420
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076A281_2_07076A28
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070740501_2_07074050
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070760681_2_07076068
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07072E9D1_2_07072E9D
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070760A81_2_070760A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070748B11_2_070748B1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070742B01_2_070742B0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070748C01_2_070748C0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070742C01_2_070742C0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071ACB1_2_07071ACB
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07072EC81_2_07072EC8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071AD81_2_07071AD8
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\newapp\newapp.exe D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                      Source: Proforma invoice.exeBinary or memory string: OriginalFilename vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.315748582.000000000300C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVAkTBYOPsNMUVxPRYEUwnMb.exe4 vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.323056808.0000000006FE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324184380.0000000008E90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324327287.0000000008F80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324327287.0000000008F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.314144932.00000000008F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezdK5.exe: vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.314828017.000000000101A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.315763569.0000000003010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Proforma invoice.exe
                      Source: Proforma invoice.exeBinary or memory string: OriginalFilenamezdK5.exe: vs Proforma invoice.exe
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: Proforma invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/7@0/0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMutant created: \Sessions\1\BaseNamedObjects\amofltH
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_01
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3BCD.tmpJump to behavior
                      Source: Proforma invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Proforma invoice.exeVirustotal: Detection: 29%
                      Source: Proforma invoice.exeReversingLabs: Detection: 41%
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile read: C:\Users\user\Desktop\Proforma invoice.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma invoice.exe 'C:\Users\user\Desktop\Proforma invoice.exe'
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: Proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Proforma invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb source: newapp.exe, newapp.exe.15.dr
                      Source: Binary string: mscorrc.pdb source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00812EB2 pushad ; iretd 1_2_00812EBD
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00816C3C push edx; iretd 1_2_00816C3D
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF64FE push 03FFFFFCh; retf 1_2_00FF6503
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF1001 pushad ; iretd 1_2_00FF1004
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF5971 push esp; iretd 1_2_00FF5972
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF4320 pushad ; ret 1_2_00FF4321
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 22_2_05750F53 push 44418B01h; ret 22_2_05750F63
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.0859237683
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.0859237683
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: Proforma invoice.exe PID: 4824, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 379Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exe TID: 5488Thread sleep time: -51000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exe TID: 5644Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 5604Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Proforma invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 438000Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: D4C008Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fon