Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Proforma invoice.exe

Overview

General Information

Sample Name:Proforma invoice.exe
Analysis ID:432701
MD5:f21a47403b0e52b1b4abe5e55a5cb719
SHA1:4a61f9e71430e8171de1953ee1655443e661a626
SHA256:4afda0db963cde192e39839e8684735c5f1a229ffbbd5674479845959d76ca86
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Proforma invoice.exe (PID: 4824 cmdline: 'C:\Users\user\Desktop\Proforma invoice.exe' MD5: F21A47403B0E52B1B4ABE5E55A5CB719)
    • schtasks.exe (PID: 3544 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1760 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • newapp.exe (PID: 5824 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • newapp.exe (PID: 4588 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "aaspa@vivaldi.net", "Password": "67968664JeBlachqwin", "Host": "smtp.vivaldi.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Proforma invoice.exe.da112b8.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Proforma invoice.exe.da112b8.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.Proforma invoice.exe.da112b8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.Proforma invoice.exe.da112b8.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    15.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "aaspa@vivaldi.net", "Password": "67968664JeBlachqwin", "Host": "smtp.vivaldi.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeReversingLabs: Detection: 41%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Proforma invoice.exeVirustotal: Detection: 29%Perma Link
                      Source: Proforma invoice.exeReversingLabs: Detection: 41%
                      Source: 15.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 15.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.Proforma invoice.exe.810000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack
                      Source: Proforma invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Proforma invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb source: newapp.exe, newapp.exe.15.dr
                      Source: Binary string: mscorrc.pdb source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmp
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: http://sDFZcX.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Proforma invoice.exe, 00000001.00000003.209966123.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: Proforma invoice.exe, 00000001.00000003.209907393.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueT
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Proforma invoice.exe, 00000001.00000003.212080424.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Proforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Proforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlj
                      Source: Proforma invoice.exe, 00000001.00000003.212807113.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Proforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/l
                      Source: Proforma invoice.exe, 00000001.00000003.212393462.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers4
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Proforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com:
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF1
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comV
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213749822.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: Proforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomtV
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: Proforma invoice.exe, 00000001.00000003.213054179.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd:
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: Proforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiva
                      Source: Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commito_
                      Source: Proforma invoice.exe, 00000001.00000003.212267014.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtV
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueedI
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Proforma invoice.exe, 00000001.00000003.209412965.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Proforma invoice.exe, 00000001.00000003.208978324.00000000056BF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnR(2
                      Source: Proforma invoice.exe, 00000001.00000003.216206445.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.215346137.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Proforma invoice.exe, 00000001.00000003.215304282.000000000569D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/v
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                      Source: Proforma invoice.exe, 00000001.00000003.210641837.0000000005698000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
                      Source: Proforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sNT
                      Source: Proforma invoice.exe, 00000001.00000003.210220551.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sRA
                      Source: Proforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/su1
                      Source: Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: Proforma invoice.exe, 00000001.00000003.220603699.00000000056C8000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.b7
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Proforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Proforma invoice.exe, 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, RegSvcs.exe, 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Proforma invoice.exe, 00000001.00000002.314828017.000000000101A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b05A5ADEFu002d639Cu002d4893u002dBC8Bu002d652238502014u007d/u0033641B4B2u002dA8E7u002d4271u002dA8F2u002dBFB87CA30B05.csLarge array initialization: .cctor: array initializer size 11751
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b05A5ADEFu002d639Cu002d4893u002dBC8Bu002d652238502014u007d/u0033641B4B2u002dA8E7u002d4271u002dA8F2u002dBFB87CA30B05.csLarge array initialization: .cctor: array initializer size 11751
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Proforma invoice.exe
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFECE8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC1F0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC570
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF8A60
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFCBF8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF87C8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF2F90
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFFB80
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF2770
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFE368
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFDB60
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF00F1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF54A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF5499
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF9050
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFD038
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF0100
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFC290
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FFE7B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF2F80
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076D78
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070757B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076FB8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076A38
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07074060
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070760B8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071EE0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_0707452C
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071D30
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071D40
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07070978
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07070988
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070757A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070759DF
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070759F0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07073401
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07073420
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076A28
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07074050
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07076068
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07072E9D
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070760A8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070748B1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070742B0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070748C0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_070742C0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071ACB
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07072EC8
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_07071AD8
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\newapp\newapp.exe D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                      Source: Proforma invoice.exeBinary or memory string: OriginalFilename vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.315748582.000000000300C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVAkTBYOPsNMUVxPRYEUwnMb.exe4 vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.323056808.0000000006FE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324184380.0000000008E90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324327287.0000000008F80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.324327287.0000000008F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.314144932.00000000008F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezdK5.exe: vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.314828017.000000000101A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Proforma invoice.exe
                      Source: Proforma invoice.exe, 00000001.00000002.315763569.0000000003010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Proforma invoice.exe
                      Source: Proforma invoice.exeBinary or memory string: OriginalFilenamezdK5.exe: vs Proforma invoice.exe
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: windows.staterepositoryps.dll
                      Source: Proforma invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/7@0/0
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMutant created: \Sessions\1\BaseNamedObjects\amofltH
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_01
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3BCD.tmpJump to behavior
                      Source: Proforma invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Proforma invoice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Proforma invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: Proforma invoice.exeVirustotal: Detection: 29%
                      Source: Proforma invoice.exeReversingLabs: Detection: 41%
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile read: C:\Users\user\Desktop\Proforma invoice.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma invoice.exe 'C:\Users\user\Desktop\Proforma invoice.exe'
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
                      Source: C:\Users\user\Desktop\Proforma invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: Proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Proforma invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb source: newapp.exe, newapp.exe.15.dr
                      Source: Binary string: mscorrc.pdb source: Proforma invoice.exe, 00000001.00000002.321639186.0000000006DE0000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeUnpacked PE file: 1.2.Proforma invoice.exe.810000.0.unpack
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00812EB2 pushad ; iretd
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00816C3C push edx; iretd
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF64FE push 03FFFFFCh; retf
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF1001 pushad ; iretd
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF5971 push esp; iretd
                      Source: C:\Users\user\Desktop\Proforma invoice.exeCode function: 1_2_00FF4320 pushad ; ret
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 22_2_05750F53 push 44418B01h; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.0859237683
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.0859237683
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile created: C:\Users\user\AppData\Roaming\BrIEdqyxzN.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: Proforma invoice.exe PID: 4824, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Proforma invoice.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Proforma invoice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 379
                      Source: C:\Users\user\Desktop\Proforma invoice.exe TID: 5488Thread sleep time: -51000s >= -30000s
                      Source: C:\Users\user\Desktop\Proforma invoice.exe TID: 5644Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4592Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 5604Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Proforma invoice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Proforma invoice.exe, 00000001.00000002.315686730.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 0000000F.00000002.476782616.0000000005870000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\Proforma invoice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: D4C008
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                      Source: C:\Users\user\Desktop\Proforma invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000F.00000002.473646330.0000000001770000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1760, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma invoice.exe PID: 4824, type: MEMORY
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1760, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1760, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma invoice.exe PID: 4824, type: MEMORY
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Proforma invoice.exe.da112b8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection212Masquerading1Input Capture1Security Software Discovery321Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)DLL Side-Loading1Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion141Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing22Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 432701 Sample: Proforma invoice.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 9 other signatures 2->47 7 Proforma invoice.exe 6 2->7         started        11 newapp.exe 4 2->11         started        13 newapp.exe 3 2->13         started        process3 file4 27 C:\Users\user\AppData\...\BrIEdqyxzN.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp3BCD.tmp, XML 7->29 dropped 31 C:\Users\user\...\Proforma invoice.exe.log, ASCII 7->31 dropped 49 Writes to foreign memory regions 7->49 51 Injects a PE file into a foreign processes 7->51 15 RegSvcs.exe 2 6 7->15         started        19 schtasks.exe 1 7->19         started        21 conhost.exe 11->21         started        23 conhost.exe 13->23         started        signatures5 process6 file7 33 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->33 dropped 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 25 conhost.exe 19->25         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Proforma invoice.exe29%VirustotalBrowse
                      Proforma invoice.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\BrIEdqyxzN.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\newapp\newapp.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\newapp\newapp.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      15.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      15.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      1.2.Proforma invoice.exe.810000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.monotype.b70%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/a-e0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/sNT0%Avira URL Cloudsafe
                      http://www.fontbureau.comd:0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnR(20%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/sRA0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.carterandcone.comueT0%Avira URL Cloudsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.fontbureau.commito_0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comiva0%Avira URL Cloudsafe
                      http://sDFZcX.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                      http://www.galapagosdesign.com/v0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comcomtV0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/#0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comue0%Avira URL Cloudsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.monotype.b7Proforma invoice.exe, 00000001.00000003.220603699.00000000056C8000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.html0Proforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/a-eProforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/sNTProforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comd:Proforma invoice.exe, 00000001.00000003.213054179.000000000569D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnR(2Proforma invoice.exe, 00000001.00000003.208978324.00000000056BF000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/sRAProforma invoice.exe, 00000001.00000003.210220551.0000000005694000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.comueTProforma invoice.exe, 00000001.00000003.209907393.00000000056C4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comessedProforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.commito_Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.goodfont.co.krProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comProforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comivaProforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://sDFZcX.comRegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/:Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/~Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/:Proforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.215346137.000000000569D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritaProforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comueProforma invoice.exe, 00000001.00000003.209966123.00000000056C4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/1Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/vProforma invoice.exe, 00000001.00000003.215304282.000000000569D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/Proforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com:Proforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comcomtVProforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/#Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnProforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProforma invoice.exe, 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, RegSvcs.exe, 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersnProforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comProforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/Proforma invoice.exe, 00000001.00000003.216206445.000000000569D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://DynDns.comDynDNSRegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comueProforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comFProforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/VProforma invoice.exe, 00000001.00000003.210641837.0000000005698000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comueedIProforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comVProforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/rProforma invoice.exe, 00000001.00000003.210552141.000000000569B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comiProforma invoice.exe, 00000001.00000003.209798559.00000000056C4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comdProforma invoice.exe, 00000001.00000003.213865166.000000000569D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.come.comProforma invoice.exe, 00000001.00000003.219616675.000000000569D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmljProforma invoice.exe, 00000001.00000003.213404031.000000000569D000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.carterandcone.comlProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/Proforma invoice.exe, 00000001.00000003.209412965.00000000056C2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/su1Proforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cnProforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlProforma invoice.exe, 00000001.00000003.212807113.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comT.TTF1Proforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/rProforma invoice.exe, 00000001.00000003.210099091.0000000005695000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comcomFProforma invoice.exe, 00000001.00000003.214083916.000000000569D000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Proforma invoice.exe, 00000001.00000003.210896575.000000000569B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/lProforma invoice.exe, 00000001.00000003.212063370.000000000569C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers8Proforma invoice.exe, 00000001.00000002.320631388.0000000006922000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comtVProforma invoice.exe, 00000001.00000003.212267014.000000000569C000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers=Proforma invoice.exe, 00000001.00000003.212358398.000000000569D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comalicProforma invoice.exe, 00000001.00000003.213300856.000000000569D000.00000004.00000001.sdmp, Proforma invoice.exe, 00000001.00000003.213749822.000000000569D000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/Proforma invoice.exe, 00000001.00000003.212080424.00000000056C4000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers4Proforma invoice.exe, 00000001.00000003.212393462.000000000569D000.00000004.00000001.sdmpfalse
                                                            		high

                                                            Contacted IPs

                                                            No contacted IP infos

                                                            General Information

                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                            Analysis ID:432701
                                                            Start date:10.06.2021
                                                            Start time:17:24:12
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 8m 43s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Proforma invoice.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:28
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@10/7@0/0
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 8.1% (good quality ratio 5.8%)
                                                            • Quality average: 46.6%
                                                            • Quality standard deviation: 36.4%
                                                            HCA Information:
                                                            • Successful, ratio: 95%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:25:59API Interceptor562x Sleep call for process: RegSvcs.exe modified
                                                            17:26:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                            17:26:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASN

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Roaming\newapp\newapp.exeNEW ORDER (Ref PO-298721).exeGet hashmaliciousBrowse
                                                              Quotation 68094.exeGet hashmaliciousBrowse
                                                                Quotation 68094.exeGet hashmaliciousBrowse
                                                                  LPO-6809.exeGet hashmaliciousBrowse
                                                                    741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeGet hashmaliciousBrowse
                                                                      Doc.17135273873.5A0AFF5F.exeGet hashmaliciousBrowse
                                                                        eReceipt.pdf.exeGet hashmaliciousBrowse
                                                                          TPA AGREEMENT00038499530.exeGet hashmaliciousBrowse
                                                                            Swift copy.exeGet hashmaliciousBrowse
                                                                              f90FtWrVT4.exeGet hashmaliciousBrowse
                                                                                kYXjS6Oc3S.exeGet hashmaliciousBrowse
                                                                                  eK1KiJlz3l.exeGet hashmaliciousBrowse
                                                                                    80tzo8FG3d.exeGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Trojan.PackedNET.645.23105.exeGet hashmaliciousBrowse
                                                                                        JQEl8bosea.exeGet hashmaliciousBrowse
                                                                                          YfceI5MZX4.exeGet hashmaliciousBrowse
                                                                                            TSskTqG9V9.exeGet hashmaliciousBrowse
                                                                                              oE6O5K1emC.exeGet hashmaliciousBrowse
                                                                                                GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                                                  wDIaJji4Vv.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proforma invoice.exe.log
                                                                                                    Process:C:\Users\user\Desktop\Proforma invoice.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):525
                                                                                                    Entropy (8bit):5.2874233355119316
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                                                    MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                                                    SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                                                    SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                                                    SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                                                    Malicious:true
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\newapp.exe.log
                                                                                                    Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):120
                                                                                                    Entropy (8bit):5.016405576253028
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                                    MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                                    SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                                    SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                                    SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                    C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp
                                                                                                    Process:C:\Users\user\Desktop\Proforma invoice.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1643
                                                                                                    Entropy (8bit):5.1928219029237015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBLtn:cbh47TlNQ//rydbz9I3YODOLNdq3b
                                                                                                    MD5:3E891A275D4F532A361E59E081A8FBD3
                                                                                                    SHA1:948315C2E401FC90BDC5A509599DF9C935A8362E
                                                                                                    SHA-256:E55DEFA18AE9E2F6A4CFAC85E1F6A83FBBA13B01AD50F5A495191A937D43D29A
                                                                                                    SHA-512:3A7F656D5C156DCF62874AD55F292FE9A7727794C0C770AF1FFC0A11E66E1FDAD8332DD944380C3588AFB18B0637B557A8129A887E80A0D09D867753FC90A744
                                                                                                    Malicious:true
                                                                                                    Reputation:low
                                                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                                    C:\Users\user\AppData\Roaming\BrIEdqyxzN.exe
                                                                                                    Process:C:\Users\user\Desktop\Proforma invoice.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):935936
                                                                                                    Entropy (8bit):7.081994377848122
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:OsmPvpfwwzRQHGoXsp+uRYteSfoGC0VqE0ZLOfBWJwvmgurhOoHDe8P9E3AulToP:OsUJwwzRDoe+uSBzCKqE0ZLOoJw5i
                                                                                                    MD5:F21A47403B0E52B1B4ABE5E55A5CB719
                                                                                                    SHA1:4A61F9E71430E8171DE1953EE1655443E661A626
                                                                                                    SHA-256:4AFDA0DB963CDE192E39839E8684735C5F1A229FFBBD5674479845959D76CA86
                                                                                                    SHA-512:A15330493F853F26F10E62941EAB31A61852CFF987773E96405B1D73C4BA0A61A2136EAB129243571A226B7C5DC74541E5AD0E925F103831891C9046DC273C9A
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 41%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..2...........P... ...`....@.. ....................................@.................................XP..S....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............F..............@..B.................P......H...................r....................................................0..<.......(.... ..S. .?S.a%..^E................+.(..... ...YZ .)g.a+.*.0..B.......r...p. .a.. (...a%...^E........t...X.......0...................8.....r...p(....(....-. |4..%+. .?.%&. .x..Za+........s....(....%.(.....(.... ..}.8t...r...p(..... .o..Z ...Ma8X....(....(....r...p(....,. .".=%+. .w&%&. ....Za8%...(......,. +vd.%+. ....%&8.....r+..p(....(....-. ..D.%+. 4F/.%&. .[..Za8.....(.... ...8....*..
                                                                                                    C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):3.7515815714465193
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                                                    MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                                                    SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                                                    SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: NEW ORDER (Ref PO-298721).exe, Detection: malicious, Browse
                                                                                                    • Filename: Quotation 68094.exe, Detection: malicious, Browse
                                                                                                    • Filename: Quotation 68094.exe, Detection: malicious, Browse
                                                                                                    • Filename: LPO-6809.exe, Detection: malicious, Browse
                                                                                                    • Filename: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, Detection: malicious, Browse
                                                                                                    • Filename: Doc.17135273873.5A0AFF5F.exe, Detection: malicious, Browse
                                                                                                    • Filename: eReceipt.pdf.exe, Detection: malicious, Browse
                                                                                                    • Filename: TPA AGREEMENT00038499530.exe, Detection: malicious, Browse
                                                                                                    • Filename: Swift copy.exe, Detection: malicious, Browse
                                                                                                    • Filename: f90FtWrVT4.exe, Detection: malicious, Browse
                                                                                                    • Filename: kYXjS6Oc3S.exe, Detection: malicious, Browse
                                                                                                    • Filename: eK1KiJlz3l.exe, Detection: malicious, Browse
                                                                                                    • Filename: 80tzo8FG3d.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.Trojan.PackedNET.645.23105.exe, Detection: malicious, Browse
                                                                                                    • Filename: JQEl8bosea.exe, Detection: malicious, Browse
                                                                                                    • Filename: YfceI5MZX4.exe, Detection: malicious, Browse
                                                                                                    • Filename: TSskTqG9V9.exe, Detection: malicious, Browse
                                                                                                    • Filename: oE6O5K1emC.exe, Detection: malicious, Browse
                                                                                                    • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                    • Filename: wDIaJji4Vv.exe, Detection: malicious, Browse
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    \Device\ConDrv
                                                                                                    Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1145
                                                                                                    Entropy (8bit):4.462201512373672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                                                    MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                                                    SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                                                    SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                                                    SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                                                    Malicious:false
                                                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.081994377848122
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:Proforma invoice.exe
                                                                                                    File size:935936
                                                                                                    MD5:f21a47403b0e52b1b4abe5e55a5cb719
                                                                                                    SHA1:4a61f9e71430e8171de1953ee1655443e661a626
                                                                                                    SHA256:4afda0db963cde192e39839e8684735c5f1a229ffbbd5674479845959d76ca86
                                                                                                    SHA512:a15330493f853f26f10e62941eab31a61852cff987773e96405b1d73c4ba0a61a2136eab129243571a226b7c5dc74541e5ad0e925f103831891c9046dc273c9a
                                                                                                    SSDEEP:12288:OsmPvpfwwzRQHGoXsp+uRYteSfoGC0VqE0ZLOfBWJwvmgurhOoHDe8P9E3AulToP:OsUJwwzRDoe+uSBzCKqE0ZLOoJw5i
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..2...........P... ...`....@.. ....................................@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x4e50ae
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0x60C1D8B6 [Thu Jun 10 09:17:42 2021 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:v2.0.50727
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe50580x53.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x10f8.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000xe30b40xe3200False0.663963607595data7.0859237683IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0xe60000x10f80x1200False0.377170138889data4.9068764464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0xe80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_VERSION0xe60a00x32cdata
                                                                                                    RT_MANIFEST0xe63cc0xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyrightCopyright 2017 - 2021
                                                                                                    Assembly Version1.0.0.0
                                                                                                    InternalNamezdK5.exe
                                                                                                    FileVersion1.0.0.0
                                                                                                    CompanyName
                                                                                                    LegalTrademarks
                                                                                                    Comments
                                                                                                    ProductNamePharmacy POS
                                                                                                    ProductVersion1.0.0.0
                                                                                                    FileDescriptionPharmacy POS
                                                                                                    OriginalFilenamezdK5.exe

                                                                                                    Network Behavior

                                                                                                    No network behavior found

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: Proforma invoice.exe PID: 4824 Parent PID: 5676

                                                                                                    General

                                                                                                    Start time:17:25:01
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Users\user\Desktop\Proforma invoice.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\Proforma invoice.exe'
                                                                                                    Imagebase:0x810000
                                                                                                    File size:935936 bytes
                                                                                                    MD5 hash:F21A47403B0E52B1B4ABE5E55A5CB719
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.316461011.0000000003FC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.324553580.000000000D971000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    Analysis Process: schtasks.exe PID: 3544 Parent PID: 4824

                                                                                                    General

                                                                                                    Start time:17:25:48
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BrIEdqyxzN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3BCD.tmp'
                                                                                                    Imagebase:0x3f0000
                                                                                                    File size:185856 bytes
                                                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: conhost.exe PID: 3548 Parent PID: 3544

                                                                                                    General

                                                                                                    Start time:17:25:49
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: RegSvcs.exe PID: 1760 Parent PID: 4824

                                                                                                    General

                                                                                                    Start time:17:25:50
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:{path}
                                                                                                    Imagebase:0xa50000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.471894624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.312877821.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.475063671.0000000003181000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: newapp.exe PID: 5824 Parent PID: 3388

                                                                                                    General

                                                                                                    Start time:17:26:20
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: conhost.exe PID: 5708 Parent PID: 5824

                                                                                                    General

                                                                                                    Start time:17:26:20
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: newapp.exe PID: 4588 Parent PID: 3388

                                                                                                    General

                                                                                                    Start time:17:26:29
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                                                                                                    Imagebase:0x7ff6883e0000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: conhost.exe PID: 1264 Parent PID: 4588

                                                                                                    General

                                                                                                    Start time:17:26:30
                                                                                                    Start date:10/06/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >