Windows Analysis Report Due Invoices.exe

Overview

General Information

Sample Name:	Due Invoices.exe
Analysis ID:	483783
MD5:	a6b52f7798a38a5698e46c0a175a29d1
SHA1:	ffb626154125d6e7842069475af74c87a0472a1e
SHA256:	6bb2aaf5abceeec0ba17d3a4a857de168176ff58c688d931d6b4ca71295b3fa7
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Due Invoices.exe	Virustotal: Detection: 27%			Perma Link
Source: Due Invoices.exe	ReversingLabs: Detection: 17%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	ReversingLabs: Detection: 17%

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.Due Invoices.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.bin2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Due Invoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Due Invoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Due Invoices.exe, 00000007.00000002.930110684.00000000033FD000.00000004.00000001.sdmp	String found in binary or memory: http://FzDyJtWTr6Up41DQo.com
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://TxPJSD.com
Source: Due Invoices.exe, 00000000.00000003.661595075.0000000005D5A000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.663332421.0000000005D61000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmp	String found in binary or memory: http://mail.ontime.com.ph
Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmp	String found in binary or memory: http://ontime.com.ph
Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Due Invoices.exe, 00000000.00000003.667688318.0000000005D5A000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.ht2
Source: Due Invoices.exe, 00000000.00000003.667331933.0000000005D5B000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Due Invoices.exe, 00000000.00000003.665335528.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhU(
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Due Invoices.exe, 00000000.00000002.702845400.0000000001307000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commicolY
Source: Due Invoices.exe, 00000000.00000003.661649227.0000000005D6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Due Invoices.exe, 00000000.00000003.664347425.0000000005D53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.675160937.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com;S
Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comES
Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comNorm
Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Due Invoices.exe, 00000000.00000003.669412919.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.rWS0
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de;S
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deXS9
Source: Due Invoices.exe, 00000000.00000003.668744407.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dewa
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Due Invoices.exe, 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, bin2.exe, 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.ontime.com.ph

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: bin2.exe, 0000000E.00000002.797144490.000000000168B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Due Invoices.exe

Uses 32bit PE files

Source: Due Invoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3B38	0_2_02BF3B38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2F38	0_2_02BF2F38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF51E0	0_2_02BF51E0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF21D0	0_2_02BF21D0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2918	0_2_02BF2918
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF1D7C	0_2_02BF1D7C
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3EF2	0_2_02BF3EF2
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF0388	0_2_02BF0388
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF23C9	0_2_02BF23C9
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3B29	0_2_02BF3B29
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2F28	0_2_02BF2F28
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF0378	0_2_02BF0378
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3828	0_2_02BF3828
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3817	0_2_02BF3817
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3DBC	0_2_02BF3DBC
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3DFB	0_2_02BF3DFB
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF21C1	0_2_02BF21C1
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2908	0_2_02BF2908
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3D70	0_2_02BF3D70
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF7D60	0_2_02BF7D60
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01532D28	7_2_01532D28
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_015347A7	7_2_015347A7
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539290	7_2_01539290
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01534688	7_2_01534688
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153F138	7_2_0153F138
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01530040	7_2_01530040
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539A38	7_2_01539A38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539AD8	7_2_01539AD8
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153B891	7_2_0153B891
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153B8A0	7_2_0153B8A0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_015316A0	7_2_015316A0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167E5CB	14_2_0167E5CB
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167E5D8	14_2_0167E5D8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167BC34	14_2_0167BC34
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E21D0	14_2_030E21D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E30DC	14_2_030E30DC
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E2E48	14_2_030E2E48
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E1CCC	14_2_030E1CCC
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E2B37	14_2_030E2B37
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E0378	14_2_030E0378
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E0388	14_2_030E0388
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3212	14_2_030E3212
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E311B	14_2_030E311B
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E7139	14_2_030E7139
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E7148	14_2_030E7148
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E21C0	14_2_030E21C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3090	14_2_030E3090
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E850	14_2_08A7E850
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A791A0	14_2_08A791A0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A79998	14_2_08A79998
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AA00	14_2_08A7AA00
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A74390	14_2_08A74390
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E5D0	14_2_08A7E5D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AD28	14_2_08A7AD28
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A766C8	14_2_08A766C8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E840	14_2_08A7E840
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A799CD	14_2_08A799CD
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AAA1	14_2_08A7AAA1
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E5C0	14_2_08A7E5C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151E5D8	15_2_0151E5D8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151E5CA	15_2_0151E5CA
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151BC34	15_2_0151BC34
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E1D7C	15_2_051E1D7C
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E21D0	15_2_051E21D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E21C0	15_2_051E21C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E0388	15_2_051E0388
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E0387	15_2_051E0387
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07532658	15_2_07532658
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07530688	15_2_07530688
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B528	15_2_0753B528
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537418	15_2_07537418
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07533140	15_2_07533140
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E98	15_2_07537E98
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537770	15_2_07537770
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753067B	15_2_0753067B
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F638	15_2_0753F638
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F628	15_2_0753F628
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B518	15_2_0753B518
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537408	15_2_07537408
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B35F	15_2_0753B35F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753D377	15_2_0753D377
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753D378	15_2_0753D378
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B360	15_2_0753B360
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753E148	15_2_0753E148
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753E138	15_2_0753E138
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075360F0	15_2_075360F0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075360E0	15_2_075360E0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B0B7	15_2_0753B0B7
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B0B8	15_2_0753B0B8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753AE7F	15_2_0753AE7F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E97	15_2_07537E97
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753AE80	15_2_0753AE80
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E89	15_2_07537E89
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753CD90	15_2_0753CD90
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753CD8F	15_2_0753CD8F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753DC97	15_2_0753DC97
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753DC98	15_2_0753DC98
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075378C8	15_2_075378C8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075378B8	15_2_075378B8

Sample file is different than original file name gathered from version info

Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
Source: Due Invoices.exe, 00000000.00000002.706329549.0000000003FB5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Due Invoices.exe
Source: Due Invoices.exe, 00000000.00000003.686549649.0000000008B87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
Source: Due Invoices.exe, 00000007.00000000.700763596.0000000000DB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
Source: Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
Source: Due Invoices.exe	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe

PE file contains strange resources

Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Due Invoices.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bin2.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Due Invoices.exe	Virustotal: Detection: 27%
Source: Due Invoices.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\Due Invoices.exe

File read: C:\Users\user\Desktop\Due Invoices.exe

Jump to behavior

Source: Due Invoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Due Invoices.exe 'C:\Users\user\Desktop\Due Invoices.exe'
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Due Invoices.exe

File created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE452.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@2/0

Source: C:\Users\user\Desktop\Due Invoices.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Mutant created: \Sessions\1\BaseNamedObjects\rqJblVj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01

Source: Due Invoices.exe, 00000000.00000003.675563827.0000000005D96000.00000004.00000001.sdmp

Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnta{?

Source: Due Invoices.exe, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: bin2.exe.7.dr, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Due Invoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Due Invoices.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Due Invoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: Due Invoices.exe, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bin2.exe.7.dr, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E67F7 push cs; ret	14_2_030E6804
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3E56 push ss; retf	14_2_030E3E57
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07532648 pushfd ; retf	15_2_07532656
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753662E push cs; retf	15_2_0753662F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753A401 push 3C075A98h; retf	15_2_0753A40D
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F1C8 pushad ; iretd	15_2_0753F2E5
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753EDC9 push ss; retf	15_2_0753EDCE
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753EB28 push ss; retf	15_2_0753EDCE

Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415
Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415
Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Due Invoices.exe	File created: C:\Users\user\AppData\Roaming\bin2\bin2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Due Invoices.exe	File created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Due Invoices.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'

Source: C:\Users\user\Desktop\Due Invoices.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Due Invoices.exe

File opened: C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Due Invoices.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3880	Thread sleep time: -43929s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 7156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 5816	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080	Thread sleep count: 2152 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080	Thread sleep count: 7651 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 5480	Thread sleep time: -41922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 6912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 7072	Thread sleep time: -33116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1900	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288	Thread sleep count: 9250 > 30
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288	Thread sleep count: 599 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Due Invoices.exe	Window / User API: threadDelayed 2152	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Window / User API: threadDelayed 7651	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Window / User API: threadDelayed 9250
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Window / User API: threadDelayed 599

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Due Invoices.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 43929	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 41922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 33116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477

Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\l2w
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Hu]
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};2w

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Due Invoices.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Due Invoices.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Due Invoices.exe	Memory written: C:\Users\user\Desktop\Due Invoices.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Memory written: C:\Users\user\AppData\Roaming\bin2\bin2.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior

Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
ontime.com.ph	23.111.189.130	true
mail.ontime.com.ph	unknown	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: Due Invoices.exe	Virustotal: Detection: 27%			Perma Link
Source: Due Invoices.exe	ReversingLabs: Detection: 17%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	ReversingLabs: Detection: 17%

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.Due Invoices.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.bin2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Due Invoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Due Invoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Due Invoices.exe, 00000007.00000002.930110684.00000000033FD000.00000004.00000001.sdmp	String found in binary or memory: http://FzDyJtWTr6Up41DQo.com
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://TxPJSD.com
Source: Due Invoices.exe, 00000000.00000003.661595075.0000000005D5A000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.663332421.0000000005D61000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmp	String found in binary or memory: http://mail.ontime.com.ph
Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmp	String found in binary or memory: http://ontime.com.ph
Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Due Invoices.exe, 00000000.00000003.667688318.0000000005D5A000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.ht2
Source: Due Invoices.exe, 00000000.00000003.667331933.0000000005D5B000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Due Invoices.exe, 00000000.00000003.665335528.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhU(
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Due Invoices.exe, 00000000.00000002.702845400.0000000001307000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commicolY
Source: Due Invoices.exe, 00000000.00000003.661649227.0000000005D6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Due Invoices.exe, 00000000.00000003.664347425.0000000005D53000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.675160937.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com;S
Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comES
Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comNorm
Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Due Invoices.exe, 00000000.00000003.669412919.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.rWS0
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de;S
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deXS9
Source: Due Invoices.exe, 00000000.00000003.668744407.0000000005D8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dewa
Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Due Invoices.exe, 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, bin2.exe, 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.ontime.com.ph

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: bin2.exe, 0000000E.00000002.797144490.000000000168B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Due Invoices.exe

Uses 32bit PE files

Source: Due Invoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3B38	0_2_02BF3B38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2F38	0_2_02BF2F38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF51E0	0_2_02BF51E0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF21D0	0_2_02BF21D0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2918	0_2_02BF2918
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF1D7C	0_2_02BF1D7C
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3EF2	0_2_02BF3EF2
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF0388	0_2_02BF0388
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF23C9	0_2_02BF23C9
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3B29	0_2_02BF3B29
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2F28	0_2_02BF2F28
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF0378	0_2_02BF0378
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3828	0_2_02BF3828
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3817	0_2_02BF3817
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3DBC	0_2_02BF3DBC
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3DFB	0_2_02BF3DFB
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF21C1	0_2_02BF21C1
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF2908	0_2_02BF2908
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF3D70	0_2_02BF3D70
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 0_2_02BF7D60	0_2_02BF7D60
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01532D28	7_2_01532D28
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_015347A7	7_2_015347A7
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539290	7_2_01539290
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01534688	7_2_01534688
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153F138	7_2_0153F138
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01530040	7_2_01530040
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539A38	7_2_01539A38
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_01539AD8	7_2_01539AD8
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153B891	7_2_0153B891
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_0153B8A0	7_2_0153B8A0
Source: C:\Users\user\Desktop\Due Invoices.exe	Code function: 7_2_015316A0	7_2_015316A0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167E5CB	14_2_0167E5CB
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167E5D8	14_2_0167E5D8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_0167BC34	14_2_0167BC34
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E21D0	14_2_030E21D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E30DC	14_2_030E30DC
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E2E48	14_2_030E2E48
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E1CCC	14_2_030E1CCC
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E2B37	14_2_030E2B37
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E0378	14_2_030E0378
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E0388	14_2_030E0388
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3212	14_2_030E3212
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E311B	14_2_030E311B
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E7139	14_2_030E7139
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E7148	14_2_030E7148
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E21C0	14_2_030E21C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3090	14_2_030E3090
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E850	14_2_08A7E850
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A791A0	14_2_08A791A0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A79998	14_2_08A79998
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AA00	14_2_08A7AA00
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A74390	14_2_08A74390
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E5D0	14_2_08A7E5D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AD28	14_2_08A7AD28
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A766C8	14_2_08A766C8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E840	14_2_08A7E840
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A799CD	14_2_08A799CD
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7AAA1	14_2_08A7AAA1
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_08A7E5C0	14_2_08A7E5C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151E5D8	15_2_0151E5D8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151E5CA	15_2_0151E5CA
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0151BC34	15_2_0151BC34
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E1D7C	15_2_051E1D7C
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E21D0	15_2_051E21D0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E21C0	15_2_051E21C0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E0388	15_2_051E0388
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_051E0387	15_2_051E0387
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07532658	15_2_07532658
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07530688	15_2_07530688
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B528	15_2_0753B528
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537418	15_2_07537418
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07533140	15_2_07533140
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E98	15_2_07537E98
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537770	15_2_07537770
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753067B	15_2_0753067B
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F638	15_2_0753F638
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F628	15_2_0753F628
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B518	15_2_0753B518
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537408	15_2_07537408
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B35F	15_2_0753B35F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753D377	15_2_0753D377
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753D378	15_2_0753D378
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B360	15_2_0753B360
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753E148	15_2_0753E148
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753E138	15_2_0753E138
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075360F0	15_2_075360F0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075360E0	15_2_075360E0
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B0B7	15_2_0753B0B7
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753B0B8	15_2_0753B0B8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753AE7F	15_2_0753AE7F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E97	15_2_07537E97
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753AE80	15_2_0753AE80
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07537E89	15_2_07537E89
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753CD90	15_2_0753CD90
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753CD8F	15_2_0753CD8F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753DC97	15_2_0753DC97
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753DC98	15_2_0753DC98
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075378C8	15_2_075378C8
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_075378B8	15_2_075378B8

Sample file is different than original file name gathered from version info

Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
Source: Due Invoices.exe, 00000000.00000002.706329549.0000000003FB5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Due Invoices.exe
Source: Due Invoices.exe, 00000000.00000003.686549649.0000000008B87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
Source: Due Invoices.exe, 00000007.00000000.700763596.0000000000DB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
Source: Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
Source: Due Invoices.exe	Binary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe

PE file contains strange resources

Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Due Invoices.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bin2.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Due Invoices.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CrYyKQbnVaYHC.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bin2.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Due Invoices.exe	Virustotal: Detection: 27%
Source: Due Invoices.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\Due Invoices.exe

File read: C:\Users\user\Desktop\Due Invoices.exe

Jump to behavior

Source: Due Invoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Due Invoices.exe 'C:\Users\user\Desktop\Due Invoices.exe'
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Due Invoices.exe

File created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE452.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@2/0

Source: C:\Users\user\Desktop\Due Invoices.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Mutant created: \Sessions\1\BaseNamedObjects\rqJblVj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01

Source: Due Invoices.exe, 00000000.00000003.675563827.0000000005D96000.00000004.00000001.sdmp

Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnta{?

Source: Due Invoices.exe, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: bin2.exe.7.dr, u0003u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Due Invoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Due Invoices.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Due Invoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: Due Invoices.exe, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bin2.exe.7.dr, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E67F7 push cs; ret	14_2_030E6804
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 14_2_030E3E56 push ss; retf	14_2_030E3E57
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_07532648 pushfd ; retf	15_2_07532656
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753662E push cs; retf	15_2_0753662F
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753A401 push 3C075A98h; retf	15_2_0753A40D
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753F1C8 pushad ; iretd	15_2_0753F2E5
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753EDC9 push ss; retf	15_2_0753EDCE
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Code function: 15_2_0753EB28 push ss; retf	15_2_0753EDCE

Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415
Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415
Source: initial sample	Static PE information: section name: .text entropy: 7.77383122415

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Due Invoices.exe	File created: C:\Users\user\AppData\Roaming\bin2\bin2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Due Invoices.exe	File created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Due Invoices.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'

Source: C:\Users\user\Desktop\Due Invoices.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Due Invoices.exe

File opened: C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Due Invoices.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3880	Thread sleep time: -43929s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 7156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 5816	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080	Thread sleep count: 2152 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080	Thread sleep count: 7651 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 5480	Thread sleep time: -41922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 6912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 7072	Thread sleep time: -33116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1900	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288	Thread sleep count: 9250 > 30
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288	Thread sleep count: 599 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Due Invoices.exe	Window / User API: threadDelayed 2152	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Window / User API: threadDelayed 7651	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Window / User API: threadDelayed 9250
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Window / User API: threadDelayed 599

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Due Invoices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Due Invoices.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 43929	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 41922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 33116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Thread delayed: delay time: 922337203685477

Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\l2w
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Hu]
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};2w

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Due Invoices.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Due Invoices.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Due Invoices.exe	Memory written: C:\Users\user\Desktop\Due Invoices.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Memory written: C:\Users\user\AppData\Roaming\bin2\bin2.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Process created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Process created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe	Jump to behavior

Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Due Invoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Due Invoices.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Due Invoices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

ID:	483783
Product:	CloudBasic
Start time:	13:37:11
Start date:	15.09.2021
Sample:	Due Invoices.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a6b52f7798a38a5698e46c0a175a29d1
SHA1:	ffb626154125d6e7842069475af74c87a0472a1e
SHA256:	6bb2aaf5abceeec0ba17d3a4a857de168176ff58c688d931d6b4ca71295b3fa7
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Due Invoices.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bin2.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\tmp88FF.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	AABA067EC120D0659B9B19990DB36981	572D98E2DFAEECDFAB55C26EF489A81C19E701A0	8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
C:\Users\user\AppData\Local\Temp\tmp9468.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	AABA067EC120D0659B9B19990DB36981	572D98E2DFAEECDFAB55C26EF489A81C19E701A0	8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
C:\Users\user\AppData\Local\Temp\tmpE452.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	AABA067EC120D0659B9B19990DB36981	572D98E2DFAEECDFAB55C26EF489A81C19E701A0	8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A6B52F7798A38A5698E46C0A175A29D1	FFB626154125D6E7842069475AF74C87A0472A1E	6BB2AAF5ABCEEEC0BA17D3A4A857DE168176FF58C688D931D6B4CA71295B3FA7
C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\bin2\bin2.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A6B52F7798A38A5698E46C0A175A29D1	FFB626154125D6E7842069475AF74C87A0472A1E	6BB2AAF5ABCEEEC0BA17D3A4A857DE168176FF58C688D931D6B4CA71295B3FA7
C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Due Invoices.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains