Windows Analysis Report MSC INVOICE.exe

Overview

General Information

Sample Name: MSC INVOICE.exe
Analysis ID: 552911
MD5: fecd0c876664920359cb84ea32bed1c2
SHA1: ea9c3588a0eea1d9816a3097617901abfccee2e6
SHA256: 94b190ce6f9544e1717b7da29b2b5acdfa10bc554d88b1fc541ceaf9500a7a28
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 19.0.xWBWc.exe.400000.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mariel.lalu@jeteix.com", "Password": "qlRYaFn8", "Host": "us2.smtp.mailhostbox.com"}
Multi AV Scanner detection for submitted file
Source: MSC INVOICE.exe Virustotal: Detection: 33% Perma Link
Source: MSC INVOICE.exe ReversingLabs: Detection: 46%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Virustotal: Detection: 33% Perma Link
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe ReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: MSC INVOICE.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 19.0.xWBWc.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 8.0.MSC INVOICE.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 19.2.xWBWc.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.xWBWc.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 8.0.MSC INVOICE.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 8.2.MSC INVOICE.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 8.0.MSC INVOICE.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.xWBWc.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 8.0.MSC INVOICE.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.xWBWc.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 19.0.xWBWc.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 8.0.MSC INVOICE.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: MSC INVOICE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: MSC INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49844 -> 208.91.199.225:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49844 -> 208.91.199.225:587
Source: MSC INVOICE.exe, 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp, xWBWc.exe, 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: xWBWc.exe, 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: xWBWc.exe, 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp String found in binary or memory: http://EkYSne.com
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.628214047.00000000060D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.628214047.00000000060D1000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.628214047.00000000060D1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: MSC INVOICE.exe, 00000000.00000002.385545608.00000000013D7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comO
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: MSC INVOICE.exe, 00000000.00000002.388204166.0000000006E82000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: MSC INVOICE.exe, 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp String found in binary or memory: https://YCRypd1eoXPgiNx.org
Source: MSC INVOICE.exe, 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp String found in binary or memory: https://YCRypd1eoXPgiNx.org8
Source: MSC INVOICE.exe, 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: xWBWc.exe, 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MSC INVOICE.exe, 00000008.00000002.626285760.0000000002B3E000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.626503166.0000000002B7F000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.628214047.00000000060D1000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: MSC INVOICE.exe, 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp, MSC INVOICE.exe, 00000008.00000002.616612673.0000000000402000.00000040.00000001.sdmp, MSC INVOICE.exe, 00000008.00000000.377790173.0000000000402000.00000040.00000001.sdmp, xWBWc.exe, 0000000E.00000002.483144084.00000000033F9000.00000004.00000001.sdmp, xWBWc.exe, 00000013.00000000.476442523.0000000000402000.00000040.00000001.sdmp, xWBWc.exe, 00000013.00000000.474471833.0000000000402000.00000040.00000001.sdmp, xWBWc.exe, 00000014.00000002.488979150.0000000003659000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSC INVOICE.exe, 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp, xWBWc.exe, 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: MSC INVOICE.exe, 00000000.00000002.385068653.00000000010C0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: MSC INVOICE.exe
.NET source code contains very large array initializations
Source: 8.0.MSC INVOICE.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b92B2832Du002d0459u002d4B17u002d8BDCu002d25EE93EE0B2Cu007d/u003059D3440u002d8506u002d4996u002dB445u002d422F7D0C96F3.cs Large array initialization: .cctor: array initializer size 11925
Source: 8.0.MSC INVOICE.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b92B2832Du002d0459u002d4B17u002d8BDCu002d25EE93EE0B2Cu007d/u003059D3440u002d8506u002d4996u002dB445u002d422F7D0C96F3.cs Large array initialization: .cctor: array initializer size 11925
Executable has a suspicious name (potential lure to open the executable)
Source: MSC INVOICE.exe Static file information: Suspicious name
Uses 32bit PE files
Source: MSC INVOICE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_00922050 0_2_00922050
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010AC884 0_2_010AC884
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010AEC49 0_2_010AEC49
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010AEC50 0_2_010AEC50
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_073D83E8 0_2_073D83E8
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_073D0040 0_2_073D0040
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 5_2_00312050 5_2_00312050
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 6_2_003F2050 6_2_003F2050
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_004A2050 8_2_004A2050
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00928278 8_2_00928278
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0092B268 8_2_0092B268
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00920F68 8_2_00920F68
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_009244C0 8_2_009244C0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0092C580 8_2_0092C580
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00926DC8 8_2_00926DC8
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_009231E0 8_2_009231E0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_009212B0 8_2_009212B0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0092B20A 8_2_0092B20A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0098B93C 8_2_0098B93C
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00981FF0 8_2_00981FF0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0098AB78 8_2_0098AB78
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0098E379 8_2_0098E379
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A8F0 8_2_00C2A8F0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C20040 8_2_00C20040
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C22078 8_2_00C22078
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C25DF8 8_2_00C25DF8
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2B12C 8_2_00C2B12C
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2B130 8_2_00C2B130
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_024F46A0 8_2_024F46A0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_024F35C4 8_2_024F35C4
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_024FDA10 8_2_024FDA10
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_024F45B0 8_2_024F45B0
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_024F5390 8_2_024F5390
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_00012050 14_2_00012050
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_00A2C884 14_2_00A2C884
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_00A2EC40 14_2_00A2EC40
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_00A2EC50 14_2_00A2EC50
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_069B83E8 14_2_069B83E8
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Code function: 14_2_069B0040 14_2_069B0040
Sample file is different than original file name gathered from version info
Source: MSC INVOICE.exe Binary or memory string: OriginalFilename vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.385068653.00000000010C0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.388575249.0000000007260000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.384536317.0000000000922000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDbNRGtLrIsRCNNEYWZLoOTbCuwmOELENAv.exe4 vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000000.00000002.386022562.0000000002E41000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDbNRGtLrIsRCNNEYWZLoOTbCuwmOELENAv.exe4 vs MSC INVOICE.exe
Source: MSC INVOICE.exe Binary or memory string: OriginalFilename vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000005.00000000.369953414.0000000000312000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe Binary or memory string: OriginalFilename vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000006.00000000.371647480.00000000003F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000007.00000000.373781197.00000000003F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe Binary or memory string: OriginalFilename vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000008.00000000.376089728.00000000004A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000008.00000002.620377295.00000000008F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MSC INVOICE.exe
Source: MSC INVOICE.exe, 00000008.00000002.616612673.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameDbNRGtLrIsRCNNEYWZLoOTbCuwmOELENAv.exe4 vs MSC INVOICE.exe
Source: MSC INVOICE.exe Binary or memory string: OriginalFilenameDictionaryEnumerat.exe8 vs MSC INVOICE.exe
Source: MSC INVOICE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xWBWc.exe.8.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MSC INVOICE.exe Virustotal: Detection: 33%
Source: MSC INVOICE.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\Desktop\MSC INVOICE.exe File read: C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: MSC INVOICE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MSC INVOICE.exe "C:\Users\user\Desktop\MSC INVOICE.exe"
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe "C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe"
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe "C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe"
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MSC INVOICE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSC INVOICE.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/4@2/2
Source: C:\Users\user\Desktop\MSC INVOICE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 8.0.MSC INVOICE.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.MSC INVOICE.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.MSC INVOICE.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.MSC INVOICE.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\MSC INVOICE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: MSC INVOICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MSC INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: MSC INVOICE.exe, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.MSC INVOICE.exe.920000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.MSC INVOICE.exe.920000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.MSC INVOICE.exe.310000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.MSC INVOICE.exe.310000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.MSC INVOICE.exe.310000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.MSC INVOICE.exe.310000.3.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.MSC INVOICE.exe.310000.2.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.MSC INVOICE.exe.3f0000.2.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.MSC INVOICE.exe.3f0000.3.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.MSC INVOICE.exe.3f0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.MSC INVOICE.exe.3f0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.MSC INVOICE.exe.3f0000.2.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.MSC INVOICE.exe.3f0000.3.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: xWBWc.exe.8.dr, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.MSC INVOICE.exe.4a0000.7.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.MSC INVOICE.exe.4a0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.MSC INVOICE.exe.4a0000.9.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.MSC INVOICE.exe.4a0000.13.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.MSC INVOICE.exe.4a0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: MSC INVOICE.exe, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.0.MSC INVOICE.exe.920000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.MSC INVOICE.exe.920000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.MSC INVOICE.exe.310000.1.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.2.MSC INVOICE.exe.310000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.MSC INVOICE.exe.310000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.MSC INVOICE.exe.310000.3.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.MSC INVOICE.exe.310000.2.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 6.2.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 6.0.MSC INVOICE.exe.3f0000.2.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 6.0.MSC INVOICE.exe.3f0000.3.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 6.0.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 6.0.MSC INVOICE.exe.3f0000.1.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 7.0.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 7.0.MSC INVOICE.exe.3f0000.1.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 7.0.MSC INVOICE.exe.3f0000.2.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 7.0.MSC INVOICE.exe.3f0000.3.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 7.2.MSC INVOICE.exe.3f0000.0.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: xWBWc.exe.8.dr, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 8.0.MSC INVOICE.exe.4a0000.7.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 8.2.MSC INVOICE.exe.4a0000.1.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 8.0.MSC INVOICE.exe.4a0000.9.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 8.0.MSC INVOICE.exe.4a0000.13.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 8.0.MSC INVOICE.exe.4a0000.1.unpack, Display.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_0092F6FF push esp; iretd 0_2_0092F702
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A40C1 push ecx; retn 0002h 0_2_010A40C2
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A4220 push ebp; retn 0002h 0_2_010A4222
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A8298 push 7802C290h; ret 0_2_010A829D
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A4517 push edi; retn 0002h 0_2_010A451A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A4451 push edi; retn 0002h 0_2_010A4452
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A4499 push edi; retn 0002h 0_2_010A449A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A6948 push A02002C2h; ret 0_2_010A694E
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010A9638 pushfd ; retn 0002h 0_2_010A963A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 0_2_010ADE88 push esp; iretd 0_2_010ADE89
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 5_2_0031F6FF push esp; iretd 5_2_0031F702
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 6_2_003FF6FF push esp; iretd 6_2_003FF702
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_004AF6FF push esp; iretd 8_2_004AF702
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00920C65 push esp; iretd 8_2_00920C66
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00929D90 push eax; retf 8_2_00929D91
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00987E3F push edi; retn 0000h 8_2_00987E41
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A8E0 push esp; ret 8_2_00C2A8EA
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A0FF push eax; ret 8_2_00C2A102
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A0FD push eax; ret 8_2_00C2A0FE
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A8A0 push esp; ret 8_2_00C2A8A2
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A8A8 push esp; ret 8_2_00C2A8AA
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C21840 push cs; ret 8_2_00C21892
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C219B7 push cs; ret 8_2_00C219BA
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C21961 push cs; ret 8_2_00C21962
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C21969 push cs; ret 8_2_00C2196A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2196E push cs; ret 8_2_00C219B6
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2CEEC pushad ; ret 8_2_00C2CEEE
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2CEF0 pushad ; ret 8_2_00C2CEF2
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A218 push ecx; ret 8_2_00C2A21A
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2A221 push ecx; ret 8_2_00C2A222
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_00C2CFC0 pushad ; ret 8_2_00C2CFC2
Source: initial sample Static PE information: section name: .text entropy: 7.78929926116
Source: initial sample Static PE information: section name: .text entropy: 7.78929926116

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\MSC INVOICE.exe File created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Jump to dropped file
Source: C:\Users\user\Desktop\MSC INVOICE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xWBWc Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xWBWc Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 14.2.xWBWc.exe.241f82c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.2687838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.2427838.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.246673c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.267f82c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.2e6f7fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.26c673c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.2e77808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.481335564.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.488588582.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.481487768.000000000243A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386022562.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 6372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4660, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSC INVOICE.exe, 00000000.00000002.386022562.0000000002E41000.00000004.00000001.sdmp, xWBWc.exe, 0000000E.00000002.481335564.00000000023F1000.00000004.00000001.sdmp, xWBWc.exe, 0000000E.00000002.481487768.000000000243A000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.488588582.0000000002651000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MSC INVOICE.exe, 00000000.00000002.386022562.0000000002E41000.00000004.00000001.sdmp, xWBWc.exe, 0000000E.00000002.481335564.00000000023F1000.00000004.00000001.sdmp, xWBWc.exe, 0000000E.00000002.481487768.000000000243A000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.488588582.0000000002651000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 6364 Thread sleep time: -37632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 3408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 6392 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 6392 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 6560 Thread sleep count: 4257 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe TID: 6560 Thread sleep count: 5566 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 724 Thread sleep time: -35268s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 3144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 5252 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 5224 Thread sleep count: 3117 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 5224 Thread sleep count: 6745 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe TID: 6840 Thread sleep time: -33434s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Window / User API: threadDelayed 4257 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Window / User API: threadDelayed 5566 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Window / User API: threadDelayed 3117 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Window / User API: threadDelayed 6745 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MSC INVOICE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Thread delayed: delay time: 37632 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 35268 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Thread delayed: delay time: 33434 Jump to behavior
Source: xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MSC INVOICE.exe, 00000000.00000002.388575249.0000000007260000.00000004.00020000.sdmp, MSC INVOICE.exe, 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp, xWBWc.exe, 0000000E.00000002.486521268.0000000006840000.00000004.00020000.sdmp, xWBWc.exe, 0000000E.00000002.483144084.00000000033F9000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.488979150.0000000003659000.00000004.00000001.sdmp, xWBWc.exe, 00000014.00000002.491732854.0000000006980000.00000004.00020000.sdmp Binary or memory string: FKWv3w6hGFSOTUxlay
Source: xWBWc.exe, 00000014.00000002.488637453.0000000002698000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Code function: 8_2_0092ABB8 LdrInitializeThunk, 8_2_0092ABB8
Source: C:\Users\user\Desktop\MSC INVOICE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\MSC INVOICE.exe Memory written: C:\Users\user\Desktop\MSC INVOICE.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Memory written: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Process created: C:\Users\user\Desktop\MSC INVOICE.exe C:\Users\user\Desktop\MSC INVOICE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Process created: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Jump to behavior
Source: MSC INVOICE.exe, 00000008.00000002.623894986.00000000010E0000.00000002.00020000.sdmp, xWBWc.exe, 00000013.00000002.622966238.0000000001AD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: MSC INVOICE.exe, 00000008.00000002.623894986.00000000010E0000.00000002.00020000.sdmp, xWBWc.exe, 00000013.00000002.622966238.0000000001AD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: MSC INVOICE.exe, 00000008.00000002.623894986.00000000010E0000.00000002.00020000.sdmp, xWBWc.exe, 00000013.00000002.622966238.0000000001AD0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: MSC INVOICE.exe, 00000008.00000002.623894986.00000000010E0000.00000002.00020000.sdmp, xWBWc.exe, 00000013.00000002.622966238.0000000001AD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Users\user\Desktop\MSC INVOICE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Users\user\Desktop\MSC INVOICE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xWBWc\xWBWc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 19.2.xWBWc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3ea4138.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36ea158.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3eda158.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSC INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.3454138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36b4138.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.348a158.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36ea158.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3eda158.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.3454138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3ea4138.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.348a158.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36b4138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.476442523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616612673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380080063.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.377790173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.382962108.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.475465445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.379130922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.616556442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.483144084.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.477003369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.474471833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.488979150.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 6372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4660, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\MSC INVOICE.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\MSC INVOICE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4588, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 19.2.xWBWc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3ea4138.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36ea158.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3eda158.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSC INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.xWBWc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.3454138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36b4138.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.348a158.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.MSC INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36ea158.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3eda158.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.3454138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MSC INVOICE.exe.3ea4138.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xWBWc.exe.348a158.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.xWBWc.exe.36b4138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.476442523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616612673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380080063.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.377790173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.382962108.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.475465445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.379130922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.616556442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.483144084.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.477003369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.474471833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.488979150.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386566208.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.624664599.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.623944283.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 6372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSC INVOICE.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xWBWc.exe PID: 4660, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs