Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order No.48743310321-RCN.pdf.exe

Overview

General Information

Sample Name:Purchase Order No.48743310321-RCN.pdf.exe
Analysis ID:458825
MD5:2c32499d41cd6c7508ecd32f9a6c37cb
SHA1:c9a9e04a6bcbca11be25bd2d931e02f945840e0e
SHA256:167b72ba0a1621ff746ce27f61d61e45cfbaf3e206aa7e92dcad19cd94a0f4c9
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "cspuri@searchnet.co.in", "Password": "22june1969", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, CommandLine: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, CommandLine|base64offset|contains: :^, Image: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, NewProcessName: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe' , ParentImage: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, ParentProcessId: 6864, ProcessCommandLine: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe, ProcessId: 7084

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "cspuri@searchnet.co.in", "Password": "22june1969", "Host": "us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order No.48743310321-RCN.pdf.exeVirustotal: Detection: 21%Perma Link
                      Source: Purchase Order No.48743310321-RCN.pdf.exeReversingLabs: Detection: 23%
                      Machine Learning detection for sampleShow sources
                      Source: Purchase Order No.48743310321-RCN.pdf.exeJoe Sandbox ML: detected
                      Source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49751 -> 208.91.198.143:587
                      Source: global trafficTCP traffic: 192.168.2.6:49751 -> 208.91.198.143:587
                      Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                      Source: global trafficTCP traffic: 192.168.2.6:49751 -> 208.91.198.143:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608496271.0000000003224000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608705074.0000000003247000.00000004.00000001.sdmpString found in binary or memory: http://4J6E0P567ihWAlj.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: http://MBZFdJ.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340899721.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://en.w~zh
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340365895.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340771152.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340365895.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comH
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340632819.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comXdu
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608665290.000000000323A000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345856364.00000000053E3000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345568154.00000000053E3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344531783.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEac
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344400988.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comL
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcesZdt
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcrCw
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdJsb
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfac
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344365594.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comis
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comkUIw$
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344768011.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344586925.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comopszvs
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347825027.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347825027.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/S
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350033354.00000000053FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350089280.00000000053FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlp
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.348995889.00000000053FE000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.348964580.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlS
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350236959.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:fV
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347978843.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.368835281.0000000000C17000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343289553.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342590541.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/.mDgQ
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/os=w
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnGt2
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343156740.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnacs
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.354475745.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.352279308.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmBb
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342590541.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com)(
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comno
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345607414.00000000053E3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-pD
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krU
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342373554.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krde
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344055794.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-jpOz
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-pD
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.compt-bp9
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comx
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de-pD
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350675167.00000000053E8000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deco
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoApx
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344293261.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344293261.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnrqwL
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE4D5205Au002dBB05u002d4D57u002d9FA4u002d804E3C27F412u007d/u00331D4DD35u002d4785u002d4FEEu002d985Fu002dAC29EDED930C.csLarge array initialization: .cctor: array initializer size 11940
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order No.48743310321-RCN.pdf.exe
                      Source: initial sampleStatic PE information: Filename: Purchase Order No.48743310321-RCN.pdf.exe
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_000912E10_2_000912E1
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B6730_2_0008B673
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_00AFC27C0_2_00AFC27C
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_00AFEC480_2_00AFEC48
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_00AFEC580_2_00AFEC58
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B6C00_2_0008B6C0
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A612E12_2_00A612E1
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B6732_2_00A5B673
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_010920C82_2_010920C8
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_0109DA502_2_0109DA50
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_01097A782_2_01097A78
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_010944102_2_01094410
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_0109D8302_2_0109D830
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_010915302_2_01091530
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_01095CC82_2_01095CC8
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_010947882_2_01094788
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_014C46A02_2_014C46A0
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_014C45B02_2_014C45B0
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_014CDA002_2_014CDA00
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B6C02_2_00A5B6C0
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000000.334519569.000000000018C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSecurityCriticalSco.exe2 vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.373774787.0000000003B77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHGZBanCKcKqHyRlJLxJcOUanPAreRc.exe4 vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.377946918.0000000005540000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.381747828.0000000006AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000000.362516242.0000000000B5C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSecurityCriticalSco.exe2 vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.605355867.00000000012CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.604053000.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHGZBanCKcKqHyRlJLxJcOUanPAreRc.exe4 vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.612081519.00000000063C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exeBinary or memory string: OriginalFilenameSecurityCriticalSco.exe2 vs Purchase Order No.48743310321-RCN.pdf.exe
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order No.48743310321-RCN.pdf.exe.logJump to behavior
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Purchase Order No.48743310321-RCN.pdf.exeVirustotal: Detection: 21%
                      Source: Purchase Order No.48743310321-RCN.pdf.exeReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe 'C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe'
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess created: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess created: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic file information: File size 1343488 > 1048576
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x108a00
                      Source: Purchase Order No.48743310321-RCN.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_000D3021 push es; retf 0_2_000D305C
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008C836 push es; retf 0_2_0008C973
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008C9C6 push es; ret 0_2_0008CB53
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B673 push es; iretd 0_2_0008C833
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B673 push es; retf 0_2_0008C973
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B673 push es; retf 0001h0_2_0008C9C3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008C976 push es; retf 0001h0_2_0008C9C3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008C976 push es; ret 0_2_0008CB53
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008C976 push es; retn 0001h0_2_0008CBA3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 0_2_0008B6C0 push es; iretd 0_2_0008C833
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5C836 push es; retf 2_2_00A5C973
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5C976 push es; retf 0001h2_2_00A5C9C3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5C976 push es; ret 2_2_00A5CB53
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5C976 push es; retn 0001h2_2_00A5CBA3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B673 push es; iretd 2_2_00A5C833
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B673 push es; retf 2_2_00A5C973
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B673 push es; retf 0001h2_2_00A5C9C3
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5C9C6 push es; ret 2_2_00A5CB53
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_0109C193 push 8BFFFFFFh; retf 2_2_0109C1A0
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_0109D770 pushfd ; iretd 2_2_0109D7E1
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_014CCD51 push esp; iretd 2_2_014CCD5D
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_00A5B6C0 push es; iretd 2_2_00A5C833
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.93312397169
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 6864, type: MEMORYSTR
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWindow / User API: threadDelayed 1925Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWindow / User API: threadDelayed 7904Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe TID: 6868Thread sleep time: -44656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe TID: 6920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe TID: 5108Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe TID: 1472Thread sleep count: 1925 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe TID: 1472Thread sleep count: 7904 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeThread delayed: delay time: 44656Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.605415466.00000000012F2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeCode function: 2_2_010920C8 LdrInitializeThunk,2_2_010920C8
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeMemory written: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeProcess created: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeJump to behavior
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606068147.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606068147.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606068147.00000000019D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606068147.00000000019D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 6864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 7084, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 7084, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order No.48743310321-RCN.pdf.exe.3a99380.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 6864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order No.48743310321-RCN.pdf.exe PID: 7084, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order No.48743310321-RCN.pdf.exe22%VirustotalBrowse
                      Purchase Order No.48743310321-RCN.pdf.exe24%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      Purchase Order No.48743310321-RCN.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.Purchase Order No.48743310321-RCN.pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/.mDgQ0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comal0%URL Reputationsafe
                      http://www.carterandcone.comis0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.compt-bp90%Avira URL Cloudsafe
                      http://www.sajatypeworks.com)(0%Avira URL Cloudsafe
                      http://www.urwpp.deco0%Avira URL Cloudsafe
                      http://fontfabrik.comH0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kra-e0%Avira URL Cloudsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.tiro.com-pD0%Avira URL Cloudsafe
                      http://www.sakkal.com-pD0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/os=w0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnH0%Avira URL Cloudsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.zhongyicts.com.cnr-f0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.zhongyicts.com.cnrqwL0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnGt20%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnk0%Avira URL Cloudsafe
                      http://www.carterandcone.comC0%URL Reputationsafe
                      http://www.founder.com.cn/cnl0%URL Reputationsafe
                      http://www.sandoll.co.krU0%Avira URL Cloudsafe
                      http://www.carterandcone.comEac0%Avira URL Cloudsafe
                      http://www.carterandcone.comcesZdt0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.krde0%Avira URL Cloudsafe
                      http://www.carterandcone.comkUIw$0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.carterandcone.comL0%Avira URL Cloudsafe
                      http://www.carterandcone.comic0%URL Reputationsafe
                      http://www.carterandcone.comcrCw0%Avira URL Cloudsafe
                      http://www.carterandcone.comcy0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.tiro.comx0%Avira URL Cloudsafe
                      http://fontfabrik.comXdu0%Avira URL Cloudsafe
                      http://www.carterandcone.comopszvs0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.comfac0%Avira URL Cloudsafe
                      http://MBZFdJ.com0%Avira URL Cloudsafe
                      http://www.carterandcone.comlt0%URL Reputationsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.carterandcone.comdJsb0%Avira URL Cloudsafe
                      http://4J6E0P567ihWAlj.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.urwpp.de-pD0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.zhongyicts.com.cno.0%URL Reputationsafe
                      http://en.w~zh0%Avira URL Cloudsafe
                      http://www.tiro.com-jpOz0%Avira URL Cloudsafe
                      http://fontfabrik.com(0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htmBb0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comno0%URL Reputationsafe
                      http://www.founder.com.cn/cnacs0%Avira URL Cloudsafe
                      http://www.urwpp.deoApx0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.198.143
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.founder.com.cn/cn/.mDgQPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342590541.00000000053DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersLPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347978843.00000000053E0000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://us2.smtp.mailhostbox.comPurchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608665290.000000000323A000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comalPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comisPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344365594.00000000053DB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.compt-bp9Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.com)(Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.com/designersPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.urwpp.decoPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350675167.00000000053E8000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://fontfabrik.comHPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340365895.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.goodfont.co.krPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342590541.00000000053DB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.kra-ePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.com-pDPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sakkal.com-pDPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345607414.00000000053E3000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/os=wPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnHPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343156740.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.com.Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnr-fPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344293261.00000000053DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers:fVPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350236959.00000000053DB000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnrqwLPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.354475745.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340365895.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnGt2Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.founder.com.cn/cnkPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comCPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnlPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sandoll.co.krUPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlSPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.348964580.00000000053DB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comEacPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344531783.00000000053DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comcesZdtPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sandoll.co.krdePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342373554.00000000053DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comkUIw$Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.ascendercorp.com/typedesigners.htmlPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345856364.00000000053E3000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.345568154.00000000053E3000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.342199288.00000000053DB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleasePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.dePurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.como.Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comLPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344400988.00000000053DB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comicPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comcrCwPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.carterandcone.comcyPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSPurchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlpPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350089280.00000000053FE000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comxPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://fontfabrik.comXduPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340632819.00000000053DB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comopszvsPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344586925.00000000053DB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comTCPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comfacPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://MBZFdJ.comPurchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comltPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344502165.00000000053DB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comlicPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344805994.00000000053DB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comdJsbPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344693914.00000000053DB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344768011.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                                  		unknown
                                                  http://4J6E0P567ihWAlj.comPurchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608496271.0000000003224000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000002.00000002.608705074.0000000003247000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn/Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344082496.00000000053DB000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343289553.00000000053DB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.348995889.00000000053FE000.00000004.00000001.sdmp, Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.350033354.00000000053FE000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/SPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347825027.00000000053E0000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.urwpp.de-pDPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.commPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.368835281.0000000000C17000.00000004.00000040.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cno.Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344293261.00000000053DB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000002.378027529.00000000055B0000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://en.w~zhPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340899721.00000000053DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.tiro.com-jpOzPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.344055794.00000000053DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://fontfabrik.com(Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.340771152.00000000053DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.galapagosdesign.com/staff/dennis.htmBbPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.352279308.00000000053DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comnoPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.339423155.00000000053C2000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cnacsPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.343529054.00000000053DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/Purchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347825027.00000000053E0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.urwpp.deoApxPurchase Order No.48743310321-RCN.pdf.exe, 00000000.00000003.347549498.00000000053E0000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.91.198.143
                                                              		us2.smtp.mailhostbox.comUnited States
                                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                              General Information

                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                              Analysis ID:458825
                                                              Start date:03.08.2021
                                                              Start time:19:22:13
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 44s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:Purchase Order No.48743310321-RCN.pdf.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:20
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                              EGA Information:Failed
                                                              HDC Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 25
                                                              • Number of non-executed functions: 5
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 20.82.209.183, 20.54.110.249, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.82.210.154, 80.67.82.211, 80.67.82.235, 23.211.4.86
                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              19:23:19API Interceptor691x Sleep call for process: Purchase Order No.48743310321-RCN.pdf.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              208.91.198.143SOA.exeGet hashmaliciousBrowse
                                                                Invoice.exeGet hashmaliciousBrowse
                                                                  Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                    IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                      IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                        order.PDF.exeGet hashmaliciousBrowse
                                                                          PURCHASE ORDER-PO-S.L 45675675.pdf.exeGet hashmaliciousBrowse
                                                                            TT COPY.exeGet hashmaliciousBrowse
                                                                              Pedido urgente.exeGet hashmaliciousBrowse
                                                                                SecuriteInfo.com.Variant.Zusy.394472.4088.exeGet hashmaliciousBrowse
                                                                                  JMIRLlEMHBPEEQvrxjqCV.exeGet hashmaliciousBrowse
                                                                                    Aditi Tiwari Resume.pdf.exeGet hashmaliciousBrowse
                                                                                      NEW RFQ FROM WEB AFRITECH.docGet hashmaliciousBrowse
                                                                                        Shipment documents pdf.exeGet hashmaliciousBrowse
                                                                                          REMITTANCE COPY.exeGet hashmaliciousBrowse
                                                                                            ok1.exeGet hashmaliciousBrowse
                                                                                              4378e6769c14e63e1b385e955ee06b93.exeGet hashmaliciousBrowse
                                                                                                HSBC PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                                                                  Doc-67789845678765670987655.exeGet hashmaliciousBrowse
                                                                                                    Doc-67789845678765670987654.exeGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      us2.smtp.mailhostbox.comSOA.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      Invoice.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Quotation.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      order.PDF.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      TVz86np48Z.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      XiAn Sunnstatement 27-07-2021 pdf.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      PURCHASE ORDER-PO-S.L 45675675.pdf.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      QAP 367893738 Ed 7 pcs.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      PUBLIC-DOMAIN-REGISTRYUSSOA.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      QUOTATION LIST FOR NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                      • 204.11.58.233
                                                                                                      MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      Invoice.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      bin.exeGet hashmaliciousBrowse
                                                                                                      • 119.18.54.122
                                                                                                      IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.198.143
                                                                                                      Quotation.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      QUOTE 04202021.exeGet hashmaliciousBrowse
                                                                                                      • 103.21.58.16
                                                                                                      PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      order.PDF.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223
                                                                                                      RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.225
                                                                                                      Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                                                                      • 162.222.226.11
                                                                                                      oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.224
                                                                                                      TVz86np48Z.exeGet hashmaliciousBrowse
                                                                                                      • 208.91.199.223

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order No.48743310321-RCN.pdf.exe.log
                                                                                                      Process:C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1216
                                                                                                      Entropy (8bit):5.355304211458859
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                      Malicious:true
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.030776607944976
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:Purchase Order No.48743310321-RCN.pdf.exe
                                                                                                      File size:1343488
                                                                                                      MD5:2c32499d41cd6c7508ecd32f9a6c37cb
                                                                                                      SHA1:c9a9e04a6bcbca11be25bd2d931e02f945840e0e
                                                                                                      SHA256:167b72ba0a1621ff746ce27f61d61e45cfbaf3e206aa7e92dcad19cd94a0f4c9
                                                                                                      SHA512:91cc50f7d048ab12460ca916d7952cfc5e0d05c25edc8fb55e105d7619c7f80b4bb38cac262774745f71be29e3ec69bdc086a5367b4a13ebaa5ca915ab8d8dc8
                                                                                                      SSDEEP:24576:XRQ+2NOcZUUh8z1Ze/7pfHjYrwdJs0kdB1ZuOlZcjrsK3ON:4/ye/7SrQKdvQFO
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.a..............P.................. ........@.. ....................................@................................

                                                                                                      File Icon

                                                                                                      Icon Hash:f0c2a07179b396e8

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x50a8fa
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x610957C8 [Tue Aug 3 14:50:48 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x10a8a80x4f.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x3f0b8.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x1089000x108a00False0.604084863604data6.93312397169IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x10c0000x3f0b80x3f200False0.744032332921data7.0657936223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x14c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_ICON0x10c1e00x103e6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                      RT_ICON0x11c5d80x10318PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                      RT_ICON0x12c9000x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                      RT_ICON0x13d1380x94a8data
                                                                                                      RT_ICON0x1465f00x25a8data
                                                                                                      RT_ICON0x148ba80x10a8data
                                                                                                      RT_ICON0x149c600x988data
                                                                                                      RT_ICON0x14a5f80x468GLS_BINARY_LSB_FIRST
                                                                                                      RT_GROUP_ICON0x14aa700x76data
                                                                                                      RT_VERSION0x14aaf80x3c0data
                                                                                                      RT_MANIFEST0x14aec80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      LegalCopyrightCopyright Bloodknight Studios, Slayin
                                                                                                      Assembly Version1.0.0.9
                                                                                                      InternalNameSecurityCriticalSco.exe
                                                                                                      FileVersion1.0.0.9
                                                                                                      CompanyNameBloodknight Studios
                                                                                                      LegalTrademarks
                                                                                                      CommentsCharacter Stat Calc
                                                                                                      ProductNameStatCalc
                                                                                                      ProductVersion1.0.0.9
                                                                                                      FileDescriptionAstonia Calc
                                                                                                      OriginalFilenameSecurityCriticalSco.exe

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      08/03/21-19:25:11.953346TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49751587192.168.2.6208.91.198.143

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Aug 3, 2021 19:25:10.665935040 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:10.814945936 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:10.815126896 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.039252996 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.040591002 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.189538002 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.189573050 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.190965891 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.340886116 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.343136072 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.494460106 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.495239973 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.645086050 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.645368099 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.802509069 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.803154945 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.952325106 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:11.953346014 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.953470945 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.954070091 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:11.954134941 CEST49751587192.168.2.6208.91.198.143
                                                                                                      Aug 3, 2021 19:25:12.102412939 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:12.102972031 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:12.201294899 CEST58749751208.91.198.143192.168.2.6
                                                                                                      Aug 3, 2021 19:25:12.253563881 CEST49751587192.168.2.6208.91.198.143

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Aug 3, 2021 19:22:58.548142910 CEST6426753192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:22:58.573050022 CEST53642678.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:22:59.311959028 CEST4944853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:22:59.344347000 CEST53494488.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:22:59.960865974 CEST6034253192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:22:59.985497952 CEST53603428.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:00.675626993 CEST6134653192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:00.700201988 CEST53613468.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:03.242285013 CEST5177453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:03.267016888 CEST53517748.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:04.200237989 CEST5602353192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:04.228198051 CEST53560238.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:05.048789978 CEST5838453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:05.073677063 CEST53583848.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:05.794164896 CEST6026153192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:05.822021008 CEST53602618.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:06.451951027 CEST5606153192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:06.477930069 CEST53560618.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:07.102642059 CEST5833653192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:07.129441977 CEST53583368.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:08.306504011 CEST5378153192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:08.331461906 CEST53537818.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:09.246957064 CEST5406453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:09.279768944 CEST53540648.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:10.030797958 CEST5281153192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:10.058392048 CEST53528118.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:10.823920965 CEST5529953192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:10.848411083 CEST53552998.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:11.917040110 CEST6374553192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:11.949821949 CEST53637458.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:12.660089970 CEST5005553192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:12.695463896 CEST53500558.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:13.325015068 CEST6137453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:13.349848986 CEST53613748.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:14.117017984 CEST5033953192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:14.141952038 CEST53503398.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:28.640827894 CEST6330753192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:28.681458950 CEST53633078.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:48.496577978 CEST4969453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:48.528875113 CEST53496948.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:49.134809017 CEST5498253192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:49.169874907 CEST53549828.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:49.405997992 CEST5001053192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:49.439403057 CEST53500108.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:49.716160059 CEST6371853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:49.741334915 CEST53637188.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:50.157320023 CEST6211653192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:50.189599037 CEST53621168.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:50.790014982 CEST6381653192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:50.827583075 CEST53638168.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:51.123150110 CEST5501453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:51.157731056 CEST53550148.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:51.281271935 CEST6220853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:51.314692974 CEST53622088.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:52.099865913 CEST5757453192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:52.132510900 CEST53575748.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:53.085876942 CEST5181853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:53.114099979 CEST53518188.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:54.042108059 CEST5662853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:54.075352907 CEST53566288.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:23:54.491249084 CEST6077853192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:23:54.516155005 CEST53607788.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:02.657504082 CEST5379953192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:02.694175959 CEST53537998.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:04.057771921 CEST5468353192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:04.090944052 CEST53546838.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:06.099503994 CEST5932953192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:06.136008978 CEST53593298.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:35.131494999 CEST6402153192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:35.165277004 CEST53640218.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:37.601301908 CEST5612953192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:37.636681080 CEST53561298.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:24:39.570269108 CEST5817753192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:24:39.618798971 CEST53581778.8.8.8192.168.2.6
                                                                                                      Aug 3, 2021 19:25:10.432324886 CEST5070053192.168.2.68.8.8.8
                                                                                                      Aug 3, 2021 19:25:10.466269970 CEST53507008.8.8.8192.168.2.6

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Aug 3, 2021 19:25:10.432324886 CEST192.168.2.68.8.8.80x3cbaStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Aug 3, 2021 19:25:10.466269970 CEST8.8.8.8192.168.2.60x3cbaNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                      Aug 3, 2021 19:25:10.466269970 CEST8.8.8.8192.168.2.60x3cbaNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                      Aug 3, 2021 19:25:10.466269970 CEST8.8.8.8192.168.2.60x3cbaNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                      Aug 3, 2021 19:25:10.466269970 CEST8.8.8.8192.168.2.60x3cbaNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                                      SMTP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                      Aug 3, 2021 19:25:11.039252996 CEST58749751208.91.198.143192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                      Aug 3, 2021 19:25:11.040591002 CEST49751587192.168.2.6208.91.198.143EHLO 701188
                                                                                                      Aug 3, 2021 19:25:11.189573050 CEST58749751208.91.198.143192.168.2.6250-us2.outbound.mailhostbox.com
                                                                                                      250-PIPELINING
                                                                                                      250-SIZE 41648128
                                                                                                      250-VRFY
                                                                                                      250-ETRN
                                                                                                      250-STARTTLS
                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                      250-8BITMIME
                                                                                                      250 DSN
                                                                                                      Aug 3, 2021 19:25:11.190965891 CEST49751587192.168.2.6208.91.198.143AUTH login Y3NwdXJpQHNlYXJjaG5ldC5jby5pbg==
                                                                                                      Aug 3, 2021 19:25:11.340886116 CEST58749751208.91.198.143192.168.2.6334 UGFzc3dvcmQ6
                                                                                                      Aug 3, 2021 19:25:11.494460106 CEST58749751208.91.198.143192.168.2.6235 2.7.0 Authentication successful
                                                                                                      Aug 3, 2021 19:25:11.495239973 CEST49751587192.168.2.6208.91.198.143MAIL FROM:<cspuri@searchnet.co.in>
                                                                                                      Aug 3, 2021 19:25:11.645086050 CEST58749751208.91.198.143192.168.2.6250 2.1.0 Ok
                                                                                                      Aug 3, 2021 19:25:11.645368099 CEST49751587192.168.2.6208.91.198.143RCPT TO:<cspuri@searchnet.co.in>
                                                                                                      Aug 3, 2021 19:25:11.802509069 CEST58749751208.91.198.143192.168.2.6250 2.1.5 Ok
                                                                                                      Aug 3, 2021 19:25:11.803154945 CEST49751587192.168.2.6208.91.198.143DATA
                                                                                                      Aug 3, 2021 19:25:11.952325106 CEST58749751208.91.198.143192.168.2.6354 End data with <CR><LF>.<CR><LF>
                                                                                                      Aug 3, 2021 19:25:11.954134941 CEST49751587192.168.2.6208.91.198.143.
                                                                                                      Aug 3, 2021 19:25:12.201294899 CEST58749751208.91.198.143192.168.2.6250 2.0.0 Ok: queued as B1BA21C3171

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: Purchase Order No.48743310321-RCN.pdf.exe PID: 6864 Parent PID: 6060

                                                                                                      General

                                                                                                      Start time:19:23:07
                                                                                                      Start date:03/08/2021
                                                                                                      Path:C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe'
                                                                                                      Imagebase:0x80000
                                                                                                      File size:1343488 bytes
                                                                                                      MD5 hash:2C32499D41CD6C7508ECD32F9A6C37CB
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.372504988.00000000028F4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.372935866.0000000003579000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: Purchase Order No.48743310321-RCN.pdf.exe PID: 7084 Parent PID: 6864

                                                                                                      General

                                                                                                      Start time:19:23:20
                                                                                                      Start date:03/08/2021
                                                                                                      Path:C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\Purchase Order No.48743310321-RCN.pdf.exe
                                                                                                      Imagebase:0xa50000
                                                                                                      File size:1343488 bytes
                                                                                                      MD5 hash:2C32499D41CD6C7508ECD32F9A6C37CB
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.603264270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.606298016.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Chronological Activities

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >

                                                                                                        Analysis Process: Purchase Order No.48743310321-RCN.pdf.exe PID: 6864 Parent PID: 6060 Purchase Order No.48743310321-RCN.pdf.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 00AFBD70, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00AFBDD0
                                                                                                        • GetCurrentThread.KERNEL32 ref: 00AFBE0D
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00AFBE4A
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00AFBEA3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: 1e2ad5cc8993fe3e7fc1a00041b44aa906083fe115e0884cf30a017fd1421e95
                                                                                                        • Instruction ID: cbca56f92e518ae9cf7f18d9343353facc8e236cf13c00a760d568691af3200f
                                                                                                        • Opcode Fuzzy Hash: 1e2ad5cc8993fe3e7fc1a00041b44aa906083fe115e0884cf30a017fd1421e95
                                                                                                        • Instruction Fuzzy Hash: 395164B4E002488FDB54CFAAD548BEEBBF0BF88318F248559E109A7250DB745848CF65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AF9A88, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00AF9CCE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 5b6d80dcf13696a3b8f25c7d2262e76b1ee1c3d194080057a7aa0cfa46b26b74
                                                                                                        • Instruction ID: d3cc22554ebb80e36e26e2ad0cd13e7b25b33755c609200a0ee017080f03c5d5
                                                                                                        • Opcode Fuzzy Hash: 5b6d80dcf13696a3b8f25c7d2262e76b1ee1c3d194080057a7aa0cfa46b26b74
                                                                                                        • Instruction Fuzzy Hash: 87710470A00B098FD724DF6AD5457ABB7F5BF88304F008A29E58AD7A50DB34E8468B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AF4514, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00AF5A81
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: b527191eb7fa8b0206511d332b9a15bec58daaa2e210b15c6562efd0633be9a6
                                                                                                        • Instruction ID: 9ca224b0deb98154d50d07789a00201da0231db75e62c89172920267f74d3f51
                                                                                                        • Opcode Fuzzy Hash: b527191eb7fa8b0206511d332b9a15bec58daaa2e210b15c6562efd0633be9a6
                                                                                                        • Instruction Fuzzy Hash: 8841DF70C0061CCADB24DFA9C8887DEBBB5BF48308F21856AE509AB251DBB56945CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AFC398, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFC427
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 1dfc30f1c6f75282e112cab4bb5e44ff7944133ab764f93ccc7a9a13d880fd2b
                                                                                                        • Instruction ID: a33aef1bf8d2dd2030ab709b910edc6dd3f7b8793f355bbd00256c1cc5142335
                                                                                                        • Opcode Fuzzy Hash: 1dfc30f1c6f75282e112cab4bb5e44ff7944133ab764f93ccc7a9a13d880fd2b
                                                                                                        • Instruction Fuzzy Hash: FE21E6B59002489FDB10CF9AD584AEEBFF4FF48324F14841AE954A7310D374A945CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AFC3A0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFC427
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 7f268f7daadd70ca3c736094488565b81ee86d4477315de165b510870352cbe3
                                                                                                        • Instruction ID: 39ac35e7e20c4c34938eb5ca370d1a13f06ef1ff6ea507a96a7cd57814ed90e5
                                                                                                        • Opcode Fuzzy Hash: 7f268f7daadd70ca3c736094488565b81ee86d4477315de165b510870352cbe3
                                                                                                        • Instruction Fuzzy Hash: 7D21C4B59002489FDB10CF9AD584AEEBBF4EB48324F15841AE954A7310D374A944CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AF8E18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AF9D49,00000800,00000000,00000000), ref: 00AF9F5A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: a3d76903733a1320a361e8db98aca7072374b8700faec88ae095b0e356abbabc
                                                                                                        • Instruction ID: 95e935fa6795c83936ccbaf176990d2ed4a7105c0d702d339f630e13f1347fc7
                                                                                                        • Opcode Fuzzy Hash: a3d76903733a1320a361e8db98aca7072374b8700faec88ae095b0e356abbabc
                                                                                                        • Instruction Fuzzy Hash: 8B1114B69002499FCB10CF9AC444BEFFBF4EB88314F15842AE519A7600C775A945CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AF9C68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00AF9CCE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 80b69c44d7eb6ba6947da26212b115658a8e06cbba655554969f02fbf5adb9f2
                                                                                                        • Instruction ID: 64fe72919522a8076529c93eab392fac020bba6e782342a52156ccd80abc56ae
                                                                                                        • Opcode Fuzzy Hash: 80b69c44d7eb6ba6947da26212b115658a8e06cbba655554969f02fbf5adb9f2
                                                                                                        • Instruction Fuzzy Hash: C21110B5C002498FCB10CF9AC444BDFFBF4AF88324F15852AD529A7600C374A946CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0097D3D8, Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367642676.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 97a145a4e85b758a1bf57c0ad109253ea552f7a8091de0035c947e055f634a32
                                                                                                        • Instruction ID: 37e5918aa756710f1fb264e91f8d23e2b671fe7ce0c1f4e44a0d51b031275b20
                                                                                                        • Opcode Fuzzy Hash: 97a145a4e85b758a1bf57c0ad109253ea552f7a8091de0035c947e055f634a32
                                                                                                        • Instruction Fuzzy Hash: EA2106B2504244DFDB05CF14D9C0B16BB79FF98324F24C569D8094B296C33AE846D6A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0098D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367867895.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 74b4f0edd4a48b714d7160a5c42f3858feb76433e374a0616253149123440f61
                                                                                                        • Instruction ID: befceeb3e1be1e60c12bc95865278d31c16e3616f8c647c6591eda872324619f
                                                                                                        • Opcode Fuzzy Hash: 74b4f0edd4a48b714d7160a5c42f3858feb76433e374a0616253149123440f61
                                                                                                        • Instruction Fuzzy Hash: 88210471504344DFDB14EF14D9C4B26BB69FB88328F24CA69D8494B386C73AD847CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0098D006, Relevance: .1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367867895.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d695c8464194ece934cea9a6a1ae17b9e45075199360ff2e1a745872d91d9e9e
                                                                                                        • Instruction ID: ad2ab3152c9ec88b71ed58c37ad1f774927ba8d4373525c6777b91c3d05506fb
                                                                                                        • Opcode Fuzzy Hash: d695c8464194ece934cea9a6a1ae17b9e45075199360ff2e1a745872d91d9e9e
                                                                                                        • Instruction Fuzzy Hash: 7F218E755093C08FDB02CF20D990B15BF71EB46314F29C5EAD8498B6A7C33A980ACB62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0097D3D3, Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367642676.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                                                                                        • Instruction ID: ba66705501f9ee92b53273e69f73d7e476549d45b06852a3099caf8443687ccf
                                                                                                        • Opcode Fuzzy Hash: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                                                                                        • Instruction Fuzzy Hash: 4811D376404280DFDB15CF10D5C4B16BF71FF94324F28C6A9D8090B666C33AE85ACBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0097D731, Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367642676.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 06ac5ea8bba0ef70392c74a034427dfab4240e660c0b6bb56c6aa8ee8b3b9e01
                                                                                                        • Instruction ID: e99160d77bd71238360517e81f0e33531076e0dbd5c4a4445358ca40254be82d
                                                                                                        • Opcode Fuzzy Hash: 06ac5ea8bba0ef70392c74a034427dfab4240e660c0b6bb56c6aa8ee8b3b9e01
                                                                                                        • Instruction Fuzzy Hash: 3D01A7B24093449AEB144A25CD847A7BBECEF81338F19C959ED0D5F242D7789C44C6B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0097D730, Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.367642676.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b361df13a4956a5c2958717d277cddedec153cbb9a878b32486dbaf9007e4cf9
                                                                                                        • Instruction ID: 56dfbd4b650803a6ee65df5a40805bf3c2fc646298cfe743f5a9d6dcda290469
                                                                                                        • Opcode Fuzzy Hash: b361df13a4956a5c2958717d277cddedec153cbb9a878b32486dbaf9007e4cf9
                                                                                                        • Instruction Fuzzy Hash: F2F062B2405244AAEB148A19CD84BA2FFACEF91734F18C55AED085B282C3799C44CAB1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 000912E1, Relevance: 3.0, Instructions: 2990COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.363136009.0000000000082000.00000002.00020000.sdmp, Offset: 00080000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.363125016.0000000000080000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000000.00000002.363519118.000000000018C000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4e028fc917891c15bf475a9cdf075e42c5034d08ee4e0013d331a4d789e90af0
                                                                                                        • Instruction ID: db050b232e4d722eb60313b8142f4cc9f46517bd84c8475f62c875bc6ab9873d
                                                                                                        • Opcode Fuzzy Hash: 4e028fc917891c15bf475a9cdf075e42c5034d08ee4e0013d331a4d789e90af0
                                                                                                        • Instruction Fuzzy Hash: 4B43342104F7C25FC7138B7458B82E2BFB1AE8322471E85CBD4C08F9A3D6155A69D7B6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0008B673, Relevance: 2.5, Instructions: 2457COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.363136009.0000000000082000.00000002.00020000.sdmp, Offset: 00080000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.363125016.0000000000080000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000000.00000002.363519118.000000000018C000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
                                                                                                        • Instruction ID: 31bd848bf91c9e0d46841736aa9b6d0bc76651d2f1c16b51a71c38ba3b9b5b02
                                                                                                        • Opcode Fuzzy Hash: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
                                                                                                        • Instruction Fuzzy Hash: BF13F7A680E3C19FCB231B346DB56D57FB19E27218B1E08C7C4C18E4A7D168199BCB67
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AFEC58, Relevance: .3, Instructions: 315COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6769fea5d23c5a1849446f40de4fc262765ff5f602343c836c78739771171179
                                                                                                        • Instruction ID: faf711e619e395dba782f4ac3a45cf6339a90040ebd768341915cbcf18c0dd63
                                                                                                        • Opcode Fuzzy Hash: 6769fea5d23c5a1849446f40de4fc262765ff5f602343c836c78739771171179
                                                                                                        • Instruction Fuzzy Hash: 3A1295F1611F468BE710CF65EC983AE3BA1B745328F924308D2611BAF1D7B8154AEF94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AFC27C, Relevance: .3, Instructions: 265COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 746fe6c04a272dc46df2d9ae14014fc42f3c52951004cc7707b39ff68d20647e
                                                                                                        • Instruction ID: e10dc88f9303e11dec12f6ed80ce581d93cc9f8d8d8a03856fae8771275b6dd6
                                                                                                        • Opcode Fuzzy Hash: 746fe6c04a272dc46df2d9ae14014fc42f3c52951004cc7707b39ff68d20647e
                                                                                                        • Instruction Fuzzy Hash: 29A14C32E006198FCF05DFA5C9845EDBBB2FF85304B15856AFA05AB261EB31AD55CB40
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00AFEC48, Relevance: .2, Instructions: 225COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.368240032.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 533bc6d77e585856e078fc80c7d0b84b32fe0f93f777d37f22c8a9b3284fded8
                                                                                                        • Instruction ID: 375f3d26a157b160be56a483a09cf6a967adb195344908c31451e9033f2401ff
                                                                                                        • Opcode Fuzzy Hash: 533bc6d77e585856e078fc80c7d0b84b32fe0f93f777d37f22c8a9b3284fded8
                                                                                                        • Instruction Fuzzy Hash: FAC118B1A11B46CBD710DF65EC883AE7B71BB85328F524308D2612B6F0D7B8158ADF94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Analysis Process: Purchase Order No.48743310321-RCN.pdf.exe PID: 7084 Parent PID: 6864 Purchase Order No.48743310321-RCN.pdf.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 010920C8, Relevance: 2.3, APIs: 1, Instructions: 808COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.604432958.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ba0ae702a5c0e6b9fe7658e762f336823012364a02d84edfaf808190666b26ca
                                                                                                        • Instruction ID: a357700c255ca2baa47e1a8b1f6013036b9ebea03a8062fe1e42c5c345519501
                                                                                                        • Opcode Fuzzy Hash: ba0ae702a5c0e6b9fe7658e762f336823012364a02d84edfaf808190666b26ca
                                                                                                        • Instruction Fuzzy Hash: A3723875E007198FCB64EF78C85469EB7F1AF89300F1086A9D54AAB355EF309E85CB81
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C691F, Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 014C69A0
                                                                                                        • GetCurrentThread.KERNEL32 ref: 014C69DD
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 014C6A1A
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 014C6A73
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: c4433e6265a5a9051c88970423d3df55eaf5db1cf270a66f22f0a764be5aad07
                                                                                                        • Instruction ID: 7e0c8f5202a8c5a9549cc93f746a541540479412bffd7d507697fb17a85e96b8
                                                                                                        • Opcode Fuzzy Hash: c4433e6265a5a9051c88970423d3df55eaf5db1cf270a66f22f0a764be5aad07
                                                                                                        • Instruction Fuzzy Hash: 415164B0A042898FDB94CFA9D548BDEBBF0BF89314F25815EE008AB360C7746844CB61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 014C69A0
                                                                                                        • GetCurrentThread.KERNEL32 ref: 014C69DD
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 014C6A1A
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 014C6A73
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: d546ccd50c984b5b4ac675ef087ba590a74e45a7f08984fe8a82b4e7371336d4
                                                                                                        • Instruction ID: 74b1fee96d822176430055d01163e2bec07ffb30c8038b3e1e143cff88f8c6b0
                                                                                                        • Opcode Fuzzy Hash: d546ccd50c984b5b4ac675ef087ba590a74e45a7f08984fe8a82b4e7371336d4
                                                                                                        • Instruction Fuzzy Hash: 3C5133B4A002498FDB94CFAAD548BDEBBF0FF88314F25855AE019AB360D7746844CB65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C5084, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014C51A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: ff3ea1cab95522cf6c17af9ddce74e891a011d18289420c3ccc905fc64660b4b
                                                                                                        • Instruction ID: b12da6417339557f345023fabd13f5835a33ee001b224df85081897750db32fd
                                                                                                        • Opcode Fuzzy Hash: ff3ea1cab95522cf6c17af9ddce74e891a011d18289420c3ccc905fc64660b4b
                                                                                                        • Instruction Fuzzy Hash: 5F51C3B5D103499FDF14CF99C884ADEBBB1BF88314F24822EE819AB210DB759945CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014C51A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 05f61d0a9ccf67295f669e80acc1453e3281c3ae60ec626e353be0384e570354
                                                                                                        • Instruction ID: 6307d60a7ca2ef82eba299ed7dafbb9c041affa1857236a3c2b931e44e181841
                                                                                                        • Opcode Fuzzy Hash: 05f61d0a9ccf67295f669e80acc1453e3281c3ae60ec626e353be0384e570354
                                                                                                        • Instruction Fuzzy Hash: 7641A1B5D102499FDF14CF99C884ADEBBB5BF88714F24812EE819AB210DB74A945CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 014C7F09
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: CallProcWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2714655100-0
                                                                                                        • Opcode ID: 1c3bfc4a4f9bc10c3a6ac9487f13bf6412ec12318b121a302631a8e4cd6d13aa
                                                                                                        • Instruction ID: c57f3f628505014a718fe340a533525ba3801822eb3d028751172ab44ae01423
                                                                                                        • Opcode Fuzzy Hash: 1c3bfc4a4f9bc10c3a6ac9487f13bf6412ec12318b121a302631a8e4cd6d13aa
                                                                                                        • Instruction Fuzzy Hash: 3D414BB9A003458FDB54CF99C488AAABBF5FF88714F15C45DE519AB321C774A841CFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C6B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014C6BEF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 2f88c7a8ff48f3918fb02edd1c945a49ceb3430155b6da30f1e82ecd5c0549f8
                                                                                                        • Instruction ID: 991a59fd1cdf6aa5bae689987180e87485f2547df16822341a623678a703ddc4
                                                                                                        • Opcode Fuzzy Hash: 2f88c7a8ff48f3918fb02edd1c945a49ceb3430155b6da30f1e82ecd5c0549f8
                                                                                                        • Instruction Fuzzy Hash: 0821E0B5D002489FDB50CFA9D584AEEBBF4EB48320F15842EE918A7310D778A954CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014C6BEF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: d111e38ba73d191100626debdedd0a36225a6ad3f942824480e9f845a6f5533f
                                                                                                        • Instruction ID: 1e88ef20f22e5d4995c3db05a29e1db26f2ba764863f97346cbd885920903d22
                                                                                                        • Opcode Fuzzy Hash: d111e38ba73d191100626debdedd0a36225a6ad3f942824480e9f845a6f5533f
                                                                                                        • Instruction Fuzzy Hash: 7521E2B5D002489FDB10CFA9D984ADEBBF8EB48320F15841AE918A7310D774A944CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014CC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 014CC212
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: EncodePointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 2118026453-0
                                                                                                        • Opcode ID: c4a21839dc44c61dfb086515b27ca664555b67b17e99490b9b0c2c2862eee1bd
                                                                                                        • Instruction ID: 5b88de8e4049bdc566d080798a23398603a8fd32b5b79868e83bf73bb6ef0e86
                                                                                                        • Opcode Fuzzy Hash: c4a21839dc44c61dfb086515b27ca664555b67b17e99490b9b0c2c2862eee1bd
                                                                                                        • Instruction Fuzzy Hash: 421156B59003498FDB60DFAAD58879EBBF8EB48724F64852ED409A7600CB396544CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C40AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014C4116
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 577dda5b2b8613c4d3b26d80478c739b1f229e670a96421a141e51b2acbc99db
                                                                                                        • Instruction ID: 6c4d13b72ac1efe2ad2ed95a7b77724cd1ebb085e78a3b40dc7a355f946dcfad
                                                                                                        • Opcode Fuzzy Hash: 577dda5b2b8613c4d3b26d80478c739b1f229e670a96421a141e51b2acbc99db
                                                                                                        • Instruction Fuzzy Hash: 9A114FB6C002498FDB10CFAAC448ACEBBF4EF89220F15812AD429A7610D738A545CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014C4116
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 1e8204e710adfb733d09b0dcef7be3a2289b06d455d59490f955917971e14a7d
                                                                                                        • Instruction ID: 7f577d72c558bea48619e2931d31c757b383ef49cf6e25819e9aa20a0c6c6831
                                                                                                        • Opcode Fuzzy Hash: 1e8204e710adfb733d09b0dcef7be3a2289b06d455d59490f955917971e14a7d
                                                                                                        • Instruction Fuzzy Hash: 041120B6D002498BDB20CF9AC548BDEFBF4EB88620F15842ED829B7610C374A545CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014C4080, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014C4116
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.605565766.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: b56932d92ca6ca30c6640dab63242fcc03b1fbd93ba33fa49492d4d458fd2d58
                                                                                                        • Instruction ID: 547b7089e30fe4fd8be00751f266b39d7058ed31d2a9a0f5252bb6f6c7458cba
                                                                                                        • Opcode Fuzzy Hash: b56932d92ca6ca30c6640dab63242fcc03b1fbd93ba33fa49492d4d458fd2d58
                                                                                                        • Instruction Fuzzy Hash: FC1145B99003498FDB14CF9AC40479EBBF0AF89314F2981AEC058AB311C339954ACFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions