Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Due Invoices.exe

Overview

General Information

Sample Name:Due Invoices.exe
Analysis ID:483783
MD5:a6b52f7798a38a5698e46c0a175a29d1
SHA1:ffb626154125d6e7842069475af74c87a0472a1e
SHA256:6bb2aaf5abceeec0ba17d3a4a857de168176ff58c688d931d6b4ca71295b3fa7
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Due Invoices.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\Due Invoices.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • schtasks.exe (PID: 5560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Due Invoices.exe (PID: 5556 cmdline: C:\Users\user\Desktop\Due Invoices.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • bin2.exe (PID: 6256 cmdline: 'C:\Users\user\AppData\Roaming\bin2\bin2.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • schtasks.exe (PID: 5616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • bin2.exe (PID: 4624 cmdline: C:\Users\user\AppData\Roaming\bin2\bin2.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
    • bin2.exe (PID: 6956 cmdline: C:\Users\user\AppData\Roaming\bin2\bin2.exe MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • bin2.exe (PID: 7088 cmdline: 'C:\Users\user\AppData\Roaming\bin2\bin2.exe' MD5: A6B52F7798A38A5698E46C0A175A29D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Due Invoices.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Due Invoices.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                15.2.bin2.exe.42a0900.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  15.2.bin2.exe.42a0900.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Due Invoices.exe.3ed0900.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Due Invoices.exeVirustotal: Detection: 27%Perma Link
                      Source: Due Invoices.exeReversingLabs: Detection: 17%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeReversingLabs: Detection: 17%
                      Source: 7.2.Due Invoices.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.2.bin2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Due Invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Due Invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Due Invoices.exe, 00000007.00000002.930110684.00000000033FD000.00000004.00000001.sdmpString found in binary or memory: http://FzDyJtWTr6Up41DQo.com
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://TxPJSD.com
                      Source: Due Invoices.exe, 00000000.00000003.661595075.0000000005D5A000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.663332421.0000000005D61000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://mail.ontime.com.ph
                      Source: Due Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://ontime.com.ph
                      Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Due Invoices.exe, 00000000.00000003.667688318.0000000005D5A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.ht2
                      Source: Due Invoices.exe, 00000000.00000003.667331933.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Due Invoices.exe, 00000000.00000003.665335528.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhU(
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Due Invoices.exe, 00000000.00000002.702845400.0000000001307000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commicolY
                      Source: Due Invoices.exe, 00000000.00000003.661649227.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Due Invoices.exe, 00000000.00000003.664347425.0000000005D53000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.675160937.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com;S
                      Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comES
                      Source: Due Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comNorm
                      Source: Due Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Due Invoices.exe, 00000000.00000003.669412919.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.rWS0
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de;S
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deXS9
                      Source: Due Invoices.exe, 00000000.00000003.668744407.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
                      Source: Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Due Invoices.exe, 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, bin2.exe, 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.ontime.com.ph
                      Source: bin2.exe, 0000000E.00000002.797144490.000000000168B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Due Invoices.exe
                      Source: Due Invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3B38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2F38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF51E0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF21D0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2918
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF1D7C
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3EF2
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF0388
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF23C9
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3B29
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2F28
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF0378
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3828
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3817
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3DBC
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3DFB
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF21C1
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF2908
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF3D70
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 0_2_02BF7D60
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01532D28
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015347A7
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01539290
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01534688
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153F138
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01530040
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01539A38
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_01539AD8
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153B891
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_0153B8A0
                      Source: C:\Users\user\Desktop\Due Invoices.exeCode function: 7_2_015316A0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167E5CB
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167E5D8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_0167BC34
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E21D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E30DC
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E2E48
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E1CCC
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E2B37
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E0378
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E0388
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E3212
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E311B
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E7139
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E7148
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E21C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E3090
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E850
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A791A0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A79998
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AA00
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A74390
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E5D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AD28
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A766C8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E840
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A799CD
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7AAA1
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_08A7E5C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151E5D8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151E5CA
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0151BC34
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E1D7C
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E21D0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E21C0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E0388
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_051E0387
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07532658
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07530688
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B528
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537418
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07533140
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E98
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537770
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753067B
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F638
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F628
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B518
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537408
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B35F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753D377
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753D378
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B360
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753E148
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753E138
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075360F0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075360E0
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B0B7
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753B0B8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753AE7F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E97
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753AE80
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07537E89
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753CD90
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753CD8F
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753DC97
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753DC98
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075378C8
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_075378B8
                      Source: Due Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000000.00000002.706329549.0000000003FB5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000000.00000003.686549649.0000000008B87000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000007.00000000.700763596.0000000000DB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameeUgOoaVXvDMDrLOHWZfsljIGdoWDt.exe4 vs Due Invoices.exe
                      Source: Due Invoices.exeBinary or memory string: OriginalFilenameIUnknownSafeHand.exeh$ vs Due Invoices.exe
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bin2.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Due Invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: CrYyKQbnVaYHC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: bin2.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Due Invoices.exeVirustotal: Detection: 27%
                      Source: Due Invoices.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Users\user\Desktop\Due Invoices.exeJump to behavior
                      Source: Due Invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Due Invoices.exe 'C:\Users\user\Desktop\Due Invoices.exe'
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe 'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE452.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@2/0
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Due Invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeMutant created: \Sessions\1\BaseNamedObjects\rqJblVj
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
                      Source: Due Invoices.exe, 00000000.00000003.675563827.0000000005D96000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnta{?
                      Source: Due Invoices.exe, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: bin2.exe.7.dr, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Due Invoices.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Due Invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Due Invoices.exe, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: CrYyKQbnVaYHC.exe.0.dr, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Due Invoices.exe.a50000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: bin2.exe.7.dr, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E67F7 push cs; ret
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 14_2_030E3E56 push ss; retf
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_07532648 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753662E push cs; retf
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753A401 push 3C075A98h; retf
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753F1C8 pushad ; iretd
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753EDC9 push ss; retf
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeCode function: 15_2_0753EB28 push ss; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.77383122415
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\bin2\bin2.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile created: C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2Jump to behavior
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin2Jump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\Due Invoices.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Due Invoices.exe, 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3880Thread sleep time: -43929s >= -30000s
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 7156Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 5816Thread sleep time: -24903104499507879s >= -30000s
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080Thread sleep count: 2152 > 30
                      Source: C:\Users\user\Desktop\Due Invoices.exe TID: 3080Thread sleep count: 7651 > 30
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 5480Thread sleep time: -41922s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 6912Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 7072Thread sleep time: -33116s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1900Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288Thread sleep count: 9250 > 30
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exe TID: 1288Thread sleep count: 599 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Due Invoices.exeWindow / User API: threadDelayed 2152
                      Source: C:\Users\user\Desktop\Due Invoices.exeWindow / User API: threadDelayed 7651
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWindow / User API: threadDelayed 9250
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWindow / User API: threadDelayed 599
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 43929
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Due Invoices.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 41922
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 33116
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeThread delayed: delay time: 922337203685477
                      Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\l2w
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Hu]
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: bin2.exe, 0000000F.00000002.803514384.00000000015A4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: bin2.exe, 0000000F.00000002.803784789.0000000001665000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};2w
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Due Invoices.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeMemory written: C:\Users\user\Desktop\Due Invoices.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeMemory written: C:\Users\user\AppData\Roaming\bin2\bin2.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                      Source: C:\Users\user\Desktop\Due Invoices.exeProcess created: C:\Users\user\Desktop\Due Invoices.exe C:\Users\user\Desktop\Due Invoices.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeProcess created: C:\Users\user\AppData\Roaming\bin2\bin2.exe C:\Users\user\AppData\Roaming\bin2\bin2.exe
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Due Invoices.exe, 00000007.00000002.928572061.0000000001B50000.00000002.00020000.sdmp, bin2.exe, 00000014.00000002.928100540.0000000001E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Users\user\Desktop\Due Invoices.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Users\user\AppData\Roaming\bin2\bin2.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\bin2\bin2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Due Invoices.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Due Invoices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Due Invoices.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.bin2.exe.42a0900.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Due Invoices.exe.3ed0900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bin2.exe.4400900.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.bin2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bin2.exe.4400900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Due Invoices.exe.3ed0900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.bin2.exe.42a0900.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Due Invoices.exe PID: 5556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bin2.exe PID: 6956, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483783 Sample: Due Invoices.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 47 ontime.com.ph 2->47 49 mail.ontime.com.ph 2->49 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected AgentTesla 2->63 65 7 other signatures 2->65 8 Due Invoices.exe 7 2->8         started        12 bin2.exe 5 2->12         started        14 bin2.exe 3 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\CrYyKQbnVaYHC.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmpE452.tmp, XML 8->39 dropped 41 C:\Users\user\...\Due Invoices.exe.log, ASCII 8->41 dropped 67 Injects a PE file into a foreign processes 8->67 16 Due Invoices.exe 2 5 8->16         started        21 schtasks.exe 1 8->21         started        69 Multi AV Scanner detection for dropped file 12->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->73 23 schtasks.exe 1 12->23         started        25 bin2.exe 2 12->25         started        27 bin2.exe 12->27         started        signatures6 process7 dnsIp8 43 ontime.com.ph 16->43 45 mail.ontime.com.ph 16->45 33 C:\Users\user\AppData\Roaming\bin2\bin2.exe, PE32 16->33 dropped 35 C:\Users\user\...\bin2.exe:Zone.Identifier, ASCII 16->35 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->51 53 Tries to steal Mail credentials (via file access) 16->53 55 Tries to harvest and steal ftp login credentials 16->55 57 2 other signatures 16->57 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Due Invoices.exe27%VirustotalBrowse
                      Due Invoices.exe18%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe18%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\bin2\bin2.exe18%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.Due Invoices.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      20.2.bin2.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://mail.ontime.com.ph0%Avira URL Cloudsafe
                      http://www.urwpp.de;S0%Avira URL Cloudsafe
                      http://www.urwpp.deXS90%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.fontbureau.commicolY0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.dewa0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://FzDyJtWTr6Up41DQo.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.urwpp.de.rWS00%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.tiro.comslnt0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ontime.com.ph0%Avira URL Cloudsafe
                      http://www.tiro.com;S0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.tiro.comES0%Avira URL Cloudsafe
                      http://www.tiro.comNorm0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.ht20%Avira URL Cloudsafe
                      http://www.carterandcone.comhU(0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ontime.com.ph
                      		23.111.189.130
                      		truefalse
                        		high
                        mail.ontime.com.ph
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.ontime.com.phDue Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.urwpp.de;SDue Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.urwpp.deXS9Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.commicolYDue Invoices.exe, 00000000.00000002.702845400.0000000001307000.00000004.00000040.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.675160937.0000000005D5E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%GETMozilla/5.0bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.ascendercorp.com/typedesigners.htmlDue Invoices.exe, 00000000.00000003.667331933.0000000005D5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comDue Invoices.exe, 00000000.00000003.661649227.0000000005D6B000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDue Invoices.exe, 00000000.00000003.669412919.0000000005D8D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.dewaDue Invoices.exe, 00000000.00000003.668744407.0000000005D8D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDue Invoices.exe, 00000000.00000002.703363812.0000000002E64000.00000004.00000001.sdmp, bin2.exe, 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://FzDyJtWTr6Up41DQo.comDue Invoices.exe, 00000007.00000002.930110684.00000000033FD000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDue Invoices.exe, 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Due Invoices.exe, 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, bin2.exe, 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, bin2.exe, 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.de.rWS0Due Invoices.exe, 00000000.00000003.672391957.0000000005D8D000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                          		high
                                          http://DynDns.comDynDNSbin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comslntDue Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haDue Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, bin2.exe, 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ontime.com.phDue Invoices.exe, 00000007.00000002.930249109.0000000003439000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.com;SDue Invoices.exe, 00000000.00000003.666035795.0000000005D8E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://en.wDue Invoices.exe, 00000000.00000003.661595075.0000000005D5A000.00000004.00000001.sdmp, Due Invoices.exe, 00000000.00000003.663332421.0000000005D61000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%$Due Invoices.exe, 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.carterandcone.comlDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/Due Invoices.exe, 00000000.00000003.664347425.0000000005D53000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-user.htmlDue Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comESDue Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Due Invoices.exe, 00000000.00000002.707497337.0000000006F62000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comNormDue Invoices.exe, 00000000.00000003.664249360.0000000005D8D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers:Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/Due Invoices.exe, 00000000.00000003.669938273.0000000005D63000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.ascendercorp.com/typedesigners.ht2Due Invoices.exe, 00000000.00000003.667688318.0000000005D5A000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comhU(Due Invoices.exe, 00000000.00000003.665335528.0000000005D8D000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low

                                                    Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                    Analysis ID:483783
                                                    Start date:15.09.2021
                                                    Start time:13:37:11
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 13m 14s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Due Invoices.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:24
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@15/9@2/0
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                    • Quality average: 64.8%
                                                    • Quality standard deviation: 37.4%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.82.210.154, 23.55.161.162, 23.55.161.143, 23.55.161.142, 23.55.161.169, 23.55.161.158, 23.55.161.144, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208
                                                    • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    13:38:17API Interceptor640x Sleep call for process: Due Invoices.exe modified
                                                    13:38:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bin2 C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    13:38:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bin2 C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    13:39:03API Interceptor391x Sleep call for process: bin2.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Due Invoices.exe.log
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:true
                                                    Reputation:unknown
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bin2.exe.log
                                                    Process:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\tmp88FF.tmp
                                                    Process:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.193277854469177
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGGtn:cbhK79lNQR/rydbz9I3YODOLNdq3F
                                                    MD5:AABA067EC120D0659B9B19990DB36981
                                                    SHA1:572D98E2DFAEECDFAB55C26EF489A81C19E701A0
                                                    SHA-256:8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
                                                    SHA-512:42C273C37778BA2BEC9CDB4AA8EF6F742AD9E4C20482F591A4419617DD763CA0ED8EE9EF4C7B94C8C73FBE63CEDA326B7EF28A9036C867196C2C532BF2180EE2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmp9468.tmp
                                                    Process:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.193277854469177
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGGtn:cbhK79lNQR/rydbz9I3YODOLNdq3F
                                                    MD5:AABA067EC120D0659B9B19990DB36981
                                                    SHA1:572D98E2DFAEECDFAB55C26EF489A81C19E701A0
                                                    SHA-256:8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
                                                    SHA-512:42C273C37778BA2BEC9CDB4AA8EF6F742AD9E4C20482F591A4419617DD763CA0ED8EE9EF4C7B94C8C73FBE63CEDA326B7EF28A9036C867196C2C532BF2180EE2
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpE452.tmp
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.193277854469177
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGGtn:cbhK79lNQR/rydbz9I3YODOLNdq3F
                                                    MD5:AABA067EC120D0659B9B19990DB36981
                                                    SHA1:572D98E2DFAEECDFAB55C26EF489A81C19E701A0
                                                    SHA-256:8400A5E7338ABE481A56F0D275A4B82C58764802AB75768DB217A5544A5226B5
                                                    SHA-512:42C273C37778BA2BEC9CDB4AA8EF6F742AD9E4C20482F591A4419617DD763CA0ED8EE9EF4C7B94C8C73FBE63CEDA326B7EF28A9036C867196C2C532BF2180EE2
                                                    Malicious:true
                                                    Reputation:unknown
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):632320
                                                    Entropy (8bit):7.696124068841204
                                                    Encrypted:false
                                                    SSDEEP:12288:62I/yzQs2TaIpIY3wyGy4omFaD4Sir7eON/+bwTV45ID:GMIpIVyPmM4Sz2PVuID
                                                    MD5:A6B52F7798A38A5698E46C0A175A29D1
                                                    SHA1:FFB626154125D6E7842069475AF74C87A0472A1E
                                                    SHA-256:6BB2AAF5ABCEEEC0BA17D3A4A857DE168176FF58C688D931D6B4CA71295B3FA7
                                                    SHA-512:D0FCB16022E85C4B735C0FFB32D804608D5A4DB2D5962D47B6366F3DB314FBBD97DD99100F98955708F7430C5AD95A36806718A97F24BC2866BA618C2A06C088
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 18%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Aa.................6...n......ZT... ...`....@.. ....................................@..................................T..W.......dk...................`....................................................... ............... ..H............text...`4... ...6.................. ..`.reloc.......`.......8..............@..B.rsrc...dk.......l...:..............@..@................<T......H...........XW......H...l...<F..........................................z.(......}.....(....o....}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s....z.2.{.....+...*....0..<........{......3..{....(....o....3...}......+..s.......{....}..
                                                    C:\Users\user\AppData\Roaming\CrYyKQbnVaYHC.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):632320
                                                    Entropy (8bit):7.696124068841204
                                                    Encrypted:false
                                                    SSDEEP:12288:62I/yzQs2TaIpIY3wyGy4omFaD4Sir7eON/+bwTV45ID:GMIpIVyPmM4Sz2PVuID
                                                    MD5:A6B52F7798A38A5698E46C0A175A29D1
                                                    SHA1:FFB626154125D6E7842069475AF74C87A0472A1E
                                                    SHA-256:6BB2AAF5ABCEEEC0BA17D3A4A857DE168176FF58C688D931D6B4CA71295B3FA7
                                                    SHA-512:D0FCB16022E85C4B735C0FFB32D804608D5A4DB2D5962D47B6366F3DB314FBBD97DD99100F98955708F7430C5AD95A36806718A97F24BC2866BA618C2A06C088
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 18%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Aa.................6...n......ZT... ...`....@.. ....................................@..................................T..W.......dk...................`....................................................... ............... ..H............text...`4... ...6.................. ..`.reloc.......`.......8..............@..B.rsrc...dk.......l...:..............@..@................<T......H...........XW......H...l...<F..........................................z.(......}.....(....o....}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s....z.2.{.....+...*....0..<........{......3..{....(....o....3...}......+..s.......{....}..
                                                    C:\Users\user\AppData\Roaming\bin2\bin2.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\Due Invoices.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:unknown
                                                    Preview: [ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.696124068841204
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:Due Invoices.exe
                                                    File size:632320
                                                    MD5:a6b52f7798a38a5698e46c0a175a29d1
                                                    SHA1:ffb626154125d6e7842069475af74c87a0472a1e
                                                    SHA256:6bb2aaf5abceeec0ba17d3a4a857de168176ff58c688d931d6b4ca71295b3fa7
                                                    SHA512:d0fcb16022e85c4b735c0ffb32d804608d5a4db2d5962d47b6366f3db314fbbd97dd99100f98955708f7430c5ad95a36806718a97f24bc2866ba618c2a06c088
                                                    SSDEEP:12288:62I/yzQs2TaIpIY3wyGy4omFaD4Sir7eON/+bwTV45ID:GMIpIVyPmM4Sz2PVuID
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Aa.................6...n......ZT... ...`....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:f1f0f4d0eecccc71

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x49545a
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x6141A2CC [Wed Sep 15 07:37:48 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x954000x57.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x6b64.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x934600x93600False0.862807463953data7.77383122415IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .reloc0x960000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x980000x6b640x6c00False0.441767939815data5.12984328991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x982b00x668data
                                                    RT_ICON0x989180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                    RT_ICON0x98c000x128GLS_BINARY_LSB_FIRST
                                                    RT_ICON0x98d280xea8data
                                                    RT_ICON0x99bd00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                    RT_ICON0x9a4780x568GLS_BINARY_LSB_FIRST
                                                    RT_ICON0x9a9e00x25a8data
                                                    RT_ICON0x9cf880x10a8data
                                                    RT_ICON0x9e0300x468GLS_BINARY_LSB_FIRST
                                                    RT_GROUP_ICON0x9e4980x84data
                                                    RT_VERSION0x9e51c0x494data
                                                    RT_MANIFEST0x9e9b00x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2008 - 2010
                                                    Assembly Version1.3.0.0
                                                    InternalNameIUnknownSafeHand.exe
                                                    FileVersion1.3.0.0
                                                    CompanyNameWHC
                                                    LegalTrademarks
                                                    CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                    ProductNameRYL Character Tool - RoW EU version
                                                    ProductVersion1.3.0.0
                                                    FileDescriptionRYL Character Tool - RoW EU version
                                                    OriginalFilenameIUnknownSafeHand.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 15, 2021 13:38:01.295219898 CEST4971453192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:01.323718071 CEST53497148.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:31.638895035 CEST5802853192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:31.663711071 CEST53580288.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:53.204896927 CEST5309753192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:53.211669922 CEST4925753192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:53.234496117 CEST53530978.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:53.236763000 CEST53492578.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:53.802824020 CEST6238953192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:53.866686106 CEST53623898.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:54.386301994 CEST4991053192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:54.416470051 CEST53499108.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:54.783165932 CEST5585453192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:54.817075968 CEST53558548.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:54.963505030 CEST6454953192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:54.998709917 CEST53645498.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:55.944459915 CEST6315353192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:55.972532988 CEST53631538.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:57.707360983 CEST5299153192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:57.734545946 CEST53529918.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:38:59.052906036 CEST5370053192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:38:59.078155994 CEST53537008.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:01.200402975 CEST5172653192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:01.236058950 CEST53517268.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:02.543715954 CEST5679453192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:02.575556040 CEST53567948.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:03.571147919 CEST5653453192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:03.598042011 CEST53565348.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:11.606681108 CEST5662753192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:11.634656906 CEST53566278.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:41.748897076 CEST5662153192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:41.792762041 CEST53566218.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:39:43.633790970 CEST6311653192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:39:43.668656111 CEST53631168.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:40:10.011022091 CEST6407853192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:40:10.161604881 CEST53640788.8.8.8192.168.2.4
                                                    Sep 15, 2021 13:40:10.391025066 CEST6480153192.168.2.48.8.8.8
                                                    Sep 15, 2021 13:40:10.657954931 CEST53648018.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Sep 15, 2021 13:40:10.011022091 CEST192.168.2.48.8.8.80xf8bfStandard query (0)mail.ontime.com.phA (IP address)IN (0x0001)
                                                    Sep 15, 2021 13:40:10.391025066 CEST192.168.2.48.8.8.80xfa88Standard query (0)mail.ontime.com.phA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Sep 15, 2021 13:40:10.161604881 CEST8.8.8.8192.168.2.40xf8bfNo error (0)mail.ontime.com.phontime.com.phCNAME (Canonical name)IN (0x0001)
                                                    Sep 15, 2021 13:40:10.161604881 CEST8.8.8.8192.168.2.40xf8bfNo error (0)ontime.com.ph23.111.189.130A (IP address)IN (0x0001)
                                                    Sep 15, 2021 13:40:10.657954931 CEST8.8.8.8192.168.2.40xfa88No error (0)mail.ontime.com.phontime.com.phCNAME (Canonical name)IN (0x0001)
                                                    Sep 15, 2021 13:40:10.657954931 CEST8.8.8.8192.168.2.40xfa88No error (0)ontime.com.ph23.111.189.130A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: Due Invoices.exe PID: 5260 Parent PID: 6580

                                                    General

                                                    Start time:13:38:05
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\Desktop\Due Invoices.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\Due Invoices.exe'
                                                    Imagebase:0xa50000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.704241573.0000000003E19000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.706451004.0000000004040000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.703233657.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 5560 Parent PID: 5260

                                                    General

                                                    Start time:13:38:24
                                                    Start date:15/09/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmpE452.tmp'
                                                    Imagebase:0x9c0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 5652 Parent PID: 5560

                                                    General

                                                    Start time:13:38:25
                                                    Start date:15/09/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: Due Invoices.exe PID: 5556 Parent PID: 5260

                                                    General

                                                    Start time:13:38:25
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\Desktop\Due Invoices.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\Due Invoices.exe
                                                    Imagebase:0xd20000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.929167866.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.925882279.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: bin2.exe PID: 6256 Parent PID: 3424

                                                    General

                                                    Start time:13:38:57
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                                                    Imagebase:0xec0000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.799250736.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.803495883.000000000456F000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.802138840.0000000004349000.00000004.00000001.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 18%, ReversingLabs
                                                    Reputation:low

                                                    Analysis Process: bin2.exe PID: 7088 Parent PID: 3424

                                                    General

                                                    Start time:13:39:05
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\bin2\bin2.exe'
                                                    Imagebase:0xe60000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.805743962.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.804132861.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 5616 Parent PID: 6256

                                                    General

                                                    Start time:13:39:07
                                                    Start date:15/09/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CrYyKQbnVaYHC' /XML 'C:\Users\user\AppData\Local\Temp\tmp9468.tmp'
                                                    Imagebase:0x9c0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 1688 Parent PID: 5616

                                                    General

                                                    Start time:13:39:07
                                                    Start date:15/09/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: bin2.exe PID: 4624 Parent PID: 6256

                                                    General

                                                    Start time:13:39:07
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Imagebase:0x1e0000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Analysis Process: bin2.exe PID: 6956 Parent PID: 6256

                                                    General

                                                    Start time:13:39:08
                                                    Start date:15/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\bin2\bin2.exe
                                                    Imagebase:0xfc0000
                                                    File size:632320 bytes
                                                    MD5 hash:A6B52F7798A38A5698E46C0A175A29D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.925882478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.929081705.00000000034E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >