Loading ...

Play interactive tourEdit tour

Windows Analysis Report Due Invoices.exe

Overview

General Information

Sample Name:Due Invoices.exe
Analysis ID:483783
MD5:a6b52f7798a38a5698e46c0a175a29d1
SHA1:ffb626154125d6e7842069475af74c87a0472a1e
SHA256:6bb2aaf5abceeec0ba17d3a4a857de168176ff58c688d931d6b4ca71295b3fa7
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Due Invoices.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\Due Invoices.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • schtasks.exe (PID: 5560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Due Invoices.exe (PID: 5556 cmdline: C:\Users\user\Desktop\Due Invoices.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • bin2.exe (PID: 6256 cmdline: 'C:\Users\user\AppData\Roaming\bin2\bin2.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • schtasks.exe (PID: 5616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • bin2.exe (PID: 4624 cmdline: C:\Users\user\AppData\Roaming\bin2\bin2.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • bin2.exe (PID: 6956 cmdline: C:\Users\user\AppData\Roaming\bin2\bin2.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • bin2.exe (PID: 7088 cmdline: 'C:\Users\user\AppData\Roaming\bin2\bin2.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Due Invoices.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Due Invoices.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                15.2.bin2.exe.42a0900.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  15.2.bin2.exe.42a0900.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Due Invoices.exe.3ed0900.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Due Invoices.exeVirustotal: Detection: 27%Perma Link
                      Source: Due Invoices.exeReversingLabs: Detection: 17%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeReversingLabs: Detection: 17%
                      Source: 7.2.Due Invoices.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.2.bin2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Due Invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Due Invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Due Invoices.exe, 00000007.00000002.930110684.00000000033FD000.00000004.00000001.sdmpString found in binary or memory: http://FzDyJtWTr6Up41DQo.com
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://TxPJSD.com
                      Source: Due Invoices.exe, 00000000.00000003.661595075.0000000005D5A000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.663332421.0000000005D61000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://mail.ontime.com.ph
                      Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://ontime.com.ph
                      Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Due Invoices.exe, 00000000.00000003.667688318.0000000005D5A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.ht2
                      Source: Due Invoices.exe, 00000000.00000003.667331933.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Due Invoices.exe, 00000000.00000003.665335528.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhU(
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Due Invoices.exe, 00000000.00000002.702845400.0000000001307000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commicolY
                      Source: Due Invoices.exe, 00000000.00000003.661649227.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Due Invoices.exe, 00000000.00000003.664347425.0000000005D53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.675160937.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com;S
                      Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comES
                      Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comNorm
                      Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Due Invoices.exe, 00000000.00000003.669412919.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.rWS0
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de;S
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deXS9
                      Source: Due Invoices.exe, 00000000.00000003.668744407.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Due Invoices.exe, 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, bin2.exe, 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.ontime.com.ph
                      Source: bin2.exe, 0000000E.00000002.797144490.000000000168B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Due Invoices.exe
                      Source: Due Invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3B380_2_02BF3B38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2F380_2_02BF2F38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF51E00_2_02BF51E0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF21D00_2_02BF21D0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF29180_2_02BF2918
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF1D7C0_2_02BF1D7C
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3EF20_2_02BF3EF2
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF03880_2_02BF0388
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF23C90_2_02BF23C9
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3B290_2_02BF3B29
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2F280_2_02BF2F28
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF03780_2_02BF0378
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF38280_2_02BF3828
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF38170_2_02BF3817
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3DBC0_2_02BF3DBC
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3DFB0_2_02BF3DFB
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF21C10_2_02BF21C1
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF29080_2_02BF2908
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3D700_2_02BF3D70
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF7D600_2_02BF7D60
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01532D287_2_01532D28
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015347A77_2_015347A7
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015392907_2_01539290
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015346887_2_01534688
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153F1387_2_0153F138
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015300407_2_01530040
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01539A387_2_01539A38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01539AD87_2_01539AD8
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153B8917_2_0153B891
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153B8A07_2_0153B8A0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015316A07_2_015316A0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167E5CB14_2_0167E5CB
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167E5D814_2_0167E5D8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167BC3414_2_0167BC34
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E21D014_2_030E21D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E30DC14_2_030E30DC
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E2E4814_2_030E2E48
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E1CCC14_2_030E1CCC
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E2B3714_2_030E2B37
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E037814_2_030E0378
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E038814_2_030E0388
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E321214_2_030E3212
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E311B14_2_030E311B
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E713914_2_030E7139
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E714814_2_030E7148
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E21C014_2_030E21C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E309014_2_030E3090
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E85014_2_08A7E850
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A791A014_2_08A791A0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7999814_2_08A79998
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AA0014_2_08A7AA00
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7439014_2_08A74390
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E5D014_2_08A7E5D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AD2814_2_08A7AD28
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A766C814_2_08A766C8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E84014_2_08A7E840
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A799CD14_2_08A799CD
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AAA114_2_08A7AAA1
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E5C014_2_08A7E5C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151E5D815_2_0151E5D8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151E5CA15_2_0151E5CA
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151BC3415_2_0151BC34
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E1D7C15_2_051E1D7C
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E21D015_2_051E21D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E21C015_2_051E21C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E038815_2_051E0388
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E038715_2_051E0387
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753265815_2_07532658
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753068815_2_07530688
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B52815_2_0753B528
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753741815_2_07537418
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753314015_2_07533140
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E9815_2_07537E98
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753777015_2_07537770
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753067B15_2_0753067B
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F63815_2_0753F638
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F62815_2_0753F628
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B51815_2_0753B518
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753740815_2_07537408
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B35F15_2_0753B35F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753D37715_2_0753D377
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753D37815_2_0753D378
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B36015_2_0753B360
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753E14815_2_0753E148
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753E13815_2_0753E138
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075360F015_2_075360F0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075360E015_2_075360E0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B0B715_2_0753B0B7
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B0B815_2_0753B0B8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753AE7F15_2_0753AE7F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E9715_2_07537E97
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753AE8015_2_0753AE80
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E8915_2_07537E89
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753CD9015_2_0753CD90
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753CD8F15_2_0753CD8F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753DC9715_2_0753DC97
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753DC9815_2_0753DC98
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075378C815_2_075378C8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075378B815_2_075378B8
                      Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000000.00000002.706329549.0000000003FB5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000000.00000003.686549649.0000000008B87000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000007.00000000.700763596.0000000000DB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
                      Source: Due Invoices.exeBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: bin2.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Due Invoices.exeVirustotal: Detection: 27%
                      Source: Due Invoices.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Users\user\Desktop\Due Invoices.exeJump to behavior
                      Source: Due Invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Due Invoices.exe 'C:\Users\user\Desktop\Due Invoices.exe'
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE452.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@2/0
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeMutant created: \Sessions\1\BaseNamedObjects\rqJblVj
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
                      Source: Due Invoices.exe, 00000000.00000003.675563827.0000000005D96000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnta{?
                      Source: Due Invoices.exe, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: bin2.exe.7.dr, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Due Invoices.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Due Invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Due Invoices.exe, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: bin2.exe.7.dr, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E67F7 push cs; ret 14_2_030E6804
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E3E56 push ss; retf 14_2_030E3E57
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07532648 pushfd ; retf 15_2_07532656
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753662E push cs; retf 15_2_0753662F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753A401 push 3C075A98h; retf 15_2_0753A40D
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F1C8 pushad ; iretd 15_2_0753F2E5
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753EDC9 push ss; retf 15_2_0753EDCE
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753EB28 push ss; retf 15_2_0753EDCE
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2Jump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3880Thread sleep time: -43929s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 5816Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080Thread sleep count: 2152 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080Thread sleep count: 7651 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 5480Thread sleep time: -41922s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 7072Thread sleep time: -33116s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1900Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288Thread sleep count: 9250 > 30
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288Thread sleep count: 599 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Due Invoices.exeWindow / User API: threadDelayed 2152Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeWindow / User API: threadDelayed 7651Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWindow / User API: threadDelayed 9250
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWindow / User API: threadDelayed 599
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 43929Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 41922Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 33116Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\l2w
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Hu]
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};2w
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Due Invoices.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeMemory written: C:\Users\user\Desktop\Due Invoices.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeMemory written: C:\Users\user\AppData\Roaming\bin2\bin2.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to behavior
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior