Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report invoice.pdf.exe

Overview

General Information

Sample Name:invoice.pdf.exe
Analysis ID:358190
MD5:d3bb643f07aee4cc6be3d303222bd2c9
SHA1:a5804c4525cb33a8eb1a4c534e9da3824a826980
SHA256:4e49cd4c9abc7a87bd4da347a31454701ab005bf1f9d9295b9f16de4353f56dc
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • invoice.pdf.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\invoice.pdf.exe' MD5: D3BB643F07AEE4CC6BE3D303222BD2C9)
    • invoice.pdf.exe (PID: 6580 cmdline: C:\Users\user\Desktop\invoice.pdf.exe MD5: D3BB643F07AEE4CC6BE3D303222BD2C9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.invoice.pdf.exe.39bf710.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.invoice.pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.invoice.pdf.exe.39bf710.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.invoice.pdf.exe.27287c8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    1.2.invoice.pdf.exe.38c2460.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\invoice.pdf.exe, CommandLine: C:\Users\user\Desktop\invoice.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\invoice.pdf.exe, NewProcessName: C:\Users\user\Desktop\invoice.pdf.exe, OriginalFileName: C:\Users\user\Desktop\invoice.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice.pdf.exe, ParentProcessId: 6496, ProcessCommandLine: C:\Users\user\Desktop\invoice.pdf.exe, ProcessId: 6580

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.invoice.pdf.exe.39bf710.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: invoice.pdf.exeVirustotal: Detection: 34%Perma Link
                      Source: invoice.pdf.exeReversingLabs: Detection: 21%
                      Machine Learning detection for sampleShow sources
                      Source: invoice.pdf.exeJoe Sandbox ML: detected
                      Source: 2.2.invoice.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: invoice.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses new MSVCR DllsShow sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: invoice.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: mscorrc.pdb source: invoice.pdf.exe, 00000001.00000002.244986843.0000000007A10000.00000002.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.502816545.0000000001590000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.7:49748 -> 185.221.216.77:587
                      Source: Joe Sandbox ViewASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
                      Source: global trafficTCP traffic: 192.168.2.7:49748 -> 185.221.216.77:587
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_016BA09A recv,
                      Source: unknownDNS traffic detected: queries for: mail.com-cept.com
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: http://HtsCZk.com
                      Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: invoice.pdf.exeString found in binary or memory: http://inchat.kro.kr
                      Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: invoice.pdf.exeString found in binary or memory: http://schooldb.inchat.kro.kr/
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: invoice.pdf.exe, 00000001.00000003.233981816.0000000004B84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comang
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comati
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comeac
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comechP
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comext
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFnO
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comAO
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaoJO
                      Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comeO
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedwO
                      Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita$OX
                      Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF$OX
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: invoice.pdf.exe, 00000001.00000003.233778392.0000000004B89000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/tN
                      Source: invoice.pdf.exeString found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$OX
                      Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-OQ
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6OJ
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ConnAO
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JO
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0anSO7
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eO
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-OQ
                      Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/JO
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nO
                      Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
                      Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                      Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vv
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: https://MFtHNrHfTnJ.net
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.invoice.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b44CD734Eu002d2649u002d4744u002d9F1Cu002dD226F20A8433u007d/u0038ABCE9BFu002d8479u002d4ACEu002dB8D6u002d55CC5848CE0F.csLarge array initialization: .cctor: array initializer size 11976
                      .NET source code contains very large stringsShow sources
                      Source: invoice.pdf.exe, frmLogin.csLong String: Length: 13656
                      Source: 1.0.invoice.pdf.exe.b0000.0.unpack, frmLogin.csLong String: Length: 13656
                      Source: 1.2.invoice.pdf.exe.b0000.0.unpack, frmLogin.csLong String: Length: 13656
                      Source: 2.0.invoice.pdf.exe.f80000.0.unpack, frmLogin.csLong String: Length: 13656
                      Source: 2.2.invoice.pdf.exe.f80000.1.unpack, frmLogin.csLong String: Length: 13656
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: invoice.pdf.exeStatic file information: Suspicious name
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: invoice.pdf.exe
                      Source: initial sampleStatic PE information: Filename: invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_016BB0BA NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_016BB089 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_000BAC81
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4890
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048EB0A9
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4688
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E1AE0
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E81AE
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E55B0
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4687
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E1AD1
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048EBF88
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048EBF98
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E33D8
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E33E8
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E5368
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E5367
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_000BAF8E
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_00F8AC81
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_01A09690
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_01A07A94
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_01A09248
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_0632D220
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_06320666
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_06327B98
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_0632F3F8
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_0632BDE0
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_0632DE59
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_00F8AF8E
                      Source: invoice.pdf.exe, 00000001.00000002.244986843.0000000007A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000001.00000000.231958724.000000000012A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.509901766.0000000006300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000000.239232223.0000000000FFA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.503556333.000000000177A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.502816545.0000000001590000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoice.pdf.exe
                      Source: invoice.pdf.exeBinary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: security.dll
                      Source: invoice.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: invoice.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 2.2.invoice.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.invoice.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: invoice.pdf.exe, frmLogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 1.0.invoice.pdf.exe.b0000.0.unpack, frmLogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 1.2.invoice.pdf.exe.b0000.0.unpack, frmLogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 2.0.invoice.pdf.exe.f80000.0.unpack, frmLogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 2.2.invoice.pdf.exe.f80000.1.unpack, frmLogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_016BAF3E AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_016BAF07 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice.pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\invoice.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: invoice.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: invoice.pdf.exeVirustotal: Detection: 34%
                      Source: invoice.pdf.exeReversingLabs: Detection: 21%
                      Source: unknownProcess created: C:\Users\user\Desktop\invoice.pdf.exe 'C:\Users\user\Desktop\invoice.pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: invoice.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: invoice.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: invoice.pdf.exe, 00000001.00000002.244986843.0000000007A10000.00000002.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.502816545.0000000001590000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_008FA944 push ds; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048ECC94 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E9C53 push E9FFFFFEh; retf
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048ECDE8 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048ECD11 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E52C1 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E5268 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4FCA push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4F1D push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E5318 push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4F2E push ss; ret
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 1_2_048E4F6D push ss; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.60133626951

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: invoice.pdf.exe
                      Source: C:\Users\user\Desktop\invoice.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.27287c8.1.raw.unpack, type: UNPACKEDPE
                      Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFunction Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,processSet,processSet,memAlloc,memAlloc,memAlloc,memAlloc
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\invoice.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\invoice.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWindow / User API: threadDelayed 682
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6500Thread sleep time: -102132s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6532Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884Thread sleep count: 682 > 30
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884Thread sleep time: -20460000s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\invoice.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\invoice.pdf.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\invoice.pdf.exeLast function: Thread delayed
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: invoice.pdf.exe, 00000002.00000002.503848287.00000000017EB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW123255IPXMediaType
                      Source: invoice.pdf.exe, 00000002.00000002.503848287.00000000017EB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeCode function: 2_2_01A03A88 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\invoice.pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeMemory written: C:\Users\user\Desktop\invoice.pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\invoice.pdf.exeProcess created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe
                      Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.39bf710.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.invoice.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.39bf710.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.38c2460.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.3866c40.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\invoice.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\invoice.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.39bf710.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.invoice.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.39bf710.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.38c2460.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.invoice.pdf.exe.3866c40.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture11Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information131Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSVirtualization/Sandbox Evasion13Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      invoice.pdf.exe34%VirustotalBrowse
                      invoice.pdf.exe21%ReversingLabsWin32.Trojan.Wacatac
                      invoice.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.invoice.pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.carterandcone.comechP0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/eO0%Avira URL Cloudsafe
                      http://www.carterandcone.comeac0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.com.TTFnO0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/nO0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/tN0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/-OQ0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comAO0%Avira URL Cloudsafe
                      http://HtsCZk.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.carterandcone.comext0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comgrita$OX0%Avira URL Cloudsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.fontbureau.comdiaoJO0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/JO0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0anSO70%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.carterandcone.comati0%Avira URL Cloudsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      https://MFtHNrHfTnJ.net0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/JO0%Avira URL Cloudsafe
                      http://www.gagalive.kr/livechat1.swf?chatroom=inchat-0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/on0%Avira URL Cloudsafe
                      http://www.fontbureau.comeO0%Avira URL Cloudsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/6OJ0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.com-cept.com
                      		185.221.216.77
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comechPinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/eOinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                              		high
                              http://www.carterandcone.comeacinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.cominvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com.TTFnOinvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssinvoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/nOinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.cominvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/tNinvoice.pdf.exe, 00000001.00000003.233778392.0000000004B89000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/-OQinvoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htminvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.cominvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comAOinvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://HtsCZk.cominvoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comextinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.ipify.org%GETMozilla/5.0invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://www.fonts.cominvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cninvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.cominvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipinvoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schooldb.inchat.kro.kr/invoice.pdf.exefalse
                                      		high
                                      http://www.fontbureau.comgrita$OXinvoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.carterandcone.comainvoice.pdf.exe, 00000001.00000003.233981816.0000000004B84000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.cominvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comdiaoJOinvoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/JOinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Y0anSO7invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://DynDns.comDynDNSinvoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comatiinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sectigo.com/CPS0invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://inchat.kro.krinvoice.pdf.exefalse
                                            		high
                                            http://www.carterandcone.comdinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://MFtHNrHfTnJ.netinvoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hainvoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/JOinvoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gagalive.kr/livechat1.swf?chatroom=inchat-invoice.pdf.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/oninvoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comeOinvoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comdinvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cninvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/6OJinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlinvoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/sinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/$OXinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.comessedwOinvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/ConnAOinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comanginvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comituF$OXinvoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jiyu-kobo.co.jp/vvinvoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/jp/-OQinvoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  185.221.216.77
                                                  		unknownUnited Kingdom
                                                  		393960HOST4GEEKS-LLCUStrue

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:358190
                                                  Start date:25.02.2021
                                                  Start time:07:44:45
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 5s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:invoice.pdf.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:26
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                  • Quality average: 65%
                                                  • Quality standard deviation: 0%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 104.43.193.48, 168.61.161.212, 23.218.208.56, 51.11.168.160, 2.20.142.210, 2.20.142.209, 51.103.5.159, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  07:45:40API Interceptor999x Sleep call for process: invoice.pdf.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  185.221.216.77invoice copys.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    mail.com-cept.cominvoice copys.exeGet hashmaliciousBrowse
                                                    • 185.221.216.77

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    HOST4GEEKS-LLCUSsynchronossTicket#513473.htmGet hashmaliciousBrowse
                                                    • 185.221.216.34
                                                    invoice copys.exeGet hashmaliciousBrowse
                                                    • 185.221.216.77
                                                    55-2912.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    DAT_G_0259067.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    DAT_G_0259067.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    5349 TED_04235524.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    5349 TED_04235524.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    FILE_122020_VVY_591928.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Archivo_29_48214503.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Adjunto 29 886_473411.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Informacion_29.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Informacion_29.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Informacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    1923620_YY-5094713.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    Doc 2912 75513.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    DAT.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    ARCHIVOFile_762-36284.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    4640-2912-122020.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    MENSAJE_29_2020.docGet hashmaliciousBrowse
                                                    • 66.85.46.76
                                                    MENSAJE_29_2020.docGet hashmaliciousBrowse
                                                    • 66.85.46.76

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice.pdf.exe.log
                                                    Process:C:\Users\user\Desktop\invoice.pdf.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):664
                                                    Entropy (8bit):5.288448637977022
                                                    Encrypted:false
                                                    SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                    MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                    SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                    SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                    SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.588265788010279
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:invoice.pdf.exe
                                                    File size:486912
                                                    MD5:d3bb643f07aee4cc6be3d303222bd2c9
                                                    SHA1:a5804c4525cb33a8eb1a4c534e9da3824a826980
                                                    SHA256:4e49cd4c9abc7a87bd4da347a31454701ab005bf1f9d9295b9f16de4353f56dc
                                                    SHA512:6fe8c0d2471df4ee732299628dedfaf575501cd8cb2efa1a1ad2ab5e6dafa1e9941fd8da1359f2b9de7481406cd33d9e4172df55ecf6b585ee9580b2ee74b693
                                                    SSDEEP:12288:XH5M2ZZvHLaMoOsT8XvgynR2yLc5GOqhiyI3N4Y:Xq2Z5uMcT8/pnLc585WN4
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..d..........f.... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x478266
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x6036D2FE [Wed Feb 24 22:28:14 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v2.0.50727
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x782140x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x5dc.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x7626c0x76400False0.812343089323data7.60133626951IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x7a0000x5dc0x600False0.43359375data4.22610011924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x7a0900x34cdata
                                                    RT_MANIFEST0x7a3ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2016 - 2021
                                                    Assembly Version1.0.0.0
                                                    InternalNameTRACEQUERYINFOCLASS.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameASM PS
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionASM PS
                                                    OriginalFilenameTRACEQUERYINFOCLASS.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 25, 2021 07:47:11.041878939 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.099550009 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.099716902 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.234230995 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.238316059 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.298199892 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.299180031 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.360979080 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.401804924 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.406331062 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.472676039 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.472706079 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.472729921 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.472743988 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.472771883 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.472800970 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.475091934 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.483385086 CET49748587192.168.2.7185.221.216.77
                                                    Feb 25, 2021 07:47:11.542651892 CET58749748185.221.216.77192.168.2.7
                                                    Feb 25, 2021 07:47:11.545597076 CET49748587192.168.2.7185.221.216.77

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 25, 2021 07:45:29.929872990 CET53537758.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:30.501810074 CET5183753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:30.563373089 CET53518378.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:30.723601103 CET5541153192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:30.772183895 CET53554118.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:40.010601997 CET6366853192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:40.067771912 CET53636688.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:41.132278919 CET5464053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:41.181118011 CET53546408.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:42.356674910 CET5873953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:42.405380964 CET53587398.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:43.438487053 CET6033853192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:43.487229109 CET53603388.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:45.449098110 CET5871753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:45.500652075 CET53587178.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:46.362993956 CET5976253192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:46.413685083 CET53597628.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:47.211992979 CET5432953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:47.260826111 CET53543298.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:48.251665115 CET5805253192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:48.310827971 CET53580528.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:49.282202005 CET5400853192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:49.340861082 CET53540088.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:50.463219881 CET5945153192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:50.513267040 CET53594518.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:51.425451994 CET5291453192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:51.477083921 CET53529148.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:52.942915916 CET6456953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:52.994226933 CET53645698.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:53.908653021 CET5281653192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:53.969897032 CET53528168.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:55.346628904 CET5078153192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:55.395332098 CET53507818.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:56.127955914 CET5423053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:56.176606894 CET53542308.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:45:59.285716057 CET5491153192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:45:59.334491014 CET53549118.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:00.237407923 CET4995853192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:00.288676023 CET53499588.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:01.296257973 CET5086053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:01.351079941 CET53508608.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:02.185996056 CET5045253192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:02.234764099 CET53504528.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:07.447736979 CET5973053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:07.498127937 CET53597308.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:25.939229012 CET5931053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:25.998996019 CET53593108.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:26.659382105 CET5191953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:26.708070993 CET53519198.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:30.758517981 CET6429653192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:30.816822052 CET53642968.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:33.473304033 CET5668053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:33.524985075 CET53566808.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:34.088426113 CET5882053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:34.145903111 CET53588208.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:34.824124098 CET6098353192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:34.872814894 CET53609838.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:35.417375088 CET4924753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:35.474327087 CET53492478.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:35.961294889 CET5228653192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:36.012943983 CET53522868.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:36.638849974 CET5606453192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:36.669473886 CET6374453192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:36.698359013 CET53560648.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:36.737001896 CET53637448.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:37.587342978 CET6145753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:37.649615049 CET53614578.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:38.487600088 CET5836753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:38.524760962 CET6059953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:38.547660112 CET53583678.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:38.585912943 CET53605998.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:39.448039055 CET5957153192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:39.509650946 CET53595718.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:46:40.122548103 CET5268953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:46:40.171725988 CET53526898.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:47:10.945453882 CET5029053192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:47:11.021434069 CET53502908.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:47:11.447138071 CET6042753192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:47:11.496120930 CET53604278.8.8.8192.168.2.7
                                                    Feb 25, 2021 07:47:13.363775015 CET5620953192.168.2.78.8.8.8
                                                    Feb 25, 2021 07:47:13.433437109 CET53562098.8.8.8192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Feb 25, 2021 07:47:10.945453882 CET192.168.2.78.8.8.80x68aaStandard query (0)mail.com-cept.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Feb 25, 2021 07:47:11.021434069 CET8.8.8.8192.168.2.70x68aaNo error (0)mail.com-cept.com185.221.216.77A (IP address)IN (0x0001)

                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Feb 25, 2021 07:47:11.234230995 CET58749748185.221.216.77192.168.2.7220-uksrv3.websiteserverbox.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 01:47:10 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 25, 2021 07:47:11.238316059 CET49748587192.168.2.7185.221.216.77EHLO 724536
                                                    Feb 25, 2021 07:47:11.298199892 CET58749748185.221.216.77192.168.2.7250-uksrv3.websiteserverbox.com Hello 724536 [84.17.52.78]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 25, 2021 07:47:11.299180031 CET49748587192.168.2.7185.221.216.77STARTTLS
                                                    Feb 25, 2021 07:47:11.360979080 CET58749748185.221.216.77192.168.2.7220 TLS go ahead

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: invoice.pdf.exe PID: 6496 Parent PID: 5760

                                                    General

                                                    Start time:07:45:37
                                                    Start date:25/02/2021
                                                    Path:C:\Users\user\Desktop\invoice.pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\invoice.pdf.exe'
                                                    Imagebase:0xb0000
                                                    File size:486912 bytes
                                                    MD5 hash:D3BB643F07AEE4CC6BE3D303222BD2C9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: invoice.pdf.exe PID: 6580 Parent PID: 6496

                                                    General

                                                    Start time:07:45:41
                                                    Start date:25/02/2021
                                                    Path:C:\Users\user\Desktop\invoice.pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\invoice.pdf.exe
                                                    Imagebase:0xf80000
                                                    File size:486912 bytes
                                                    MD5 hash:D3BB643F07AEE4CC6BE3D303222BD2C9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >