Loading ...

Play interactive tourEdit tour

Windows Analysis Report packing list commercial invoice and bl termplate draft for export.exe

Overview

General Information

Sample Name:packing list commercial invoice and bl termplate draft for export.exe
Analysis ID:483686
MD5:ddf2ae4b85ec6e277713ba1b5c844ed7
SHA1:b07236d7dcd264152bdb989840c2b78bdfd84764
SHA256:34c8be34215e94bd3ffab958ea56583ef0e40adcfa306609a2cb275e3e552d8f
Tags:AgentTeslaexeInvoice
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales4@italfood.ae", "Password": "Sales@634@$", "Host": "mail.italfood.ae"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: packing list commercial invoice and bl termplate draft for export.exe PID: 6588JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales4@italfood.ae", "Password": "Sales@634@$", "Host": "mail.italfood.ae"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: packing list commercial invoice and bl termplate draft for export.exeVirustotal: Detection: 44%Perma Link
                Machine Learning detection for sampleShow sources
                Source: packing list commercial invoice and bl termplate draft for export.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\wVhpvdZWIB.exeJoe Sandbox ML: detected
                Source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49817 -> 185.243.77.210:587
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933666233.0000000003562000.00000004.00000001.sdmpString found in binary or memory: http://Q1q5wm8CcDOVVgnVHl2.net
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933693229.000000000356A000.00000004.00000001.sdmpString found in binary or memory: http://italfood.ae
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933693229.000000000356A000.00000004.00000001.sdmpString found in binary or memory: http://mail.italfood.ae
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://pUvlwI.com
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.671838520.0000000005E78000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.668944781.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.668944781.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.670606758.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnantE3&
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.670606758.0000000005E6E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntte12z
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.675566665.0000000005E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQ$
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.675185471.0000000005E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.itcfonts.
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//t
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673390206.0000000005E69000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673390206.0000000005E69000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sv-s
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.669186150.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: packing list commercial invoice and bl termplate draft for export.exe
                .NET source code contains very large stringsShow sources
                Source: packing list commercial invoice and bl termplate draft for export.exe, t?fgWql?xy?C/kaBb??kPS?.csLong String: Length: 217896
                Source: wVhpvdZWIB.exe.0.dr, t?fgWql?xy?C/kaBb??kPS?.csLong String: Length: 217896
                Source: 0.0.packing list commercial invoice and bl termplate draft for export.exe.9f0000.0.unpack, t?fgWql?xy?C/kaBb??kPS?.csLong String: Length: 217896
                Source: 9.0.packing list commercial invoice and bl termplate draft for export.exe.cc0000.0.unpack, t?fgWql?xy?C/kaBb??kPS?.csLong String: Length: 217896
                Source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.cc0000.1.unpack, t?fgWql?xy?C/kaBb??kPS?.csLong String: Length: 217896
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_012840B09_2_012840B0
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_012816789_2_01281678
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_012864709_2_01286470
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_0128F0889_2_0128F088
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_012886509_2_01288650
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_016346A09_2_016346A0
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_016345B09_2_016345B0
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeCode function: 9_2_016346909_2_01634690
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000000.665535621.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZYxe.exeF vs packing list commercial invoice and bl termplate draft for export.exe
                Source: packing list commercial invoice and bl termplate draft for export.exeBinary or memory string: OriginalFilename vs packing list commercial invoice and bl termplate draft for export.exe
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUBrTqcgnlevNnYcnNIDjXNnCM.exe4 vs packing list commercial invoice and bl termplate draft for export.exe
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.931249574.0000000000CC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZYxe.exeF vs packing list commercial invoice and bl termplate draft for export.exe
                Source: packing list commercial invoice and bl termplate draft for export.exeBinary or memory string: OriginalFilenameZYxe.exeF vs packing list commercial invoice and bl termplate draft for export.exe
                Source: packing list commercial invoice and bl termplate draft for export.exeVirustotal: Detection: 44%
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile read: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeJump to behavior
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe 'C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe'
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wVhpvdZWIB' /XML 'C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe {path}
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wVhpvdZWIB' /XML 'C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: C:\Users\user\AppData\Roaming\wVhpvdZWIB.exeJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCAE9.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@0/0
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeMutant created: \Sessions\1\BaseNamedObjects\zSdXYymfHDmIfzlxUHn
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: packing list commercial invoice and bl termplate draft for export.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: packing list commercial invoice and bl termplate draft for export.exe, xCJ?xl?mE/doTK??k?tr?e.cs.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: wVhpvdZWIB.exe.0.dr, xCJ?xl?mE/doTK??k?tr?e.cs.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.packing list commercial invoice and bl termplate draft for export.exe.9f0000.0.unpack, xCJ?xl?mE/doTK??k?tr?e.cs.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 9.0.packing list commercial invoice and bl termplate draft for export.exe.cc0000.0.unpack, xCJ?xl?mE/doTK??k?tr?e.cs.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.cc0000.1.unpack, xCJ?xl?mE/doTK??k?tr?e.cs.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: \packing list commercial invoice and bl termplate draft for export.exe
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: \packing list commercial invoice and bl termplate draft for export.exe
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: \packing list commercial invoice and bl termplate draft for export.exeJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: \packing list commercial invoice and bl termplate draft for export.exeJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeFile created: C:\Users\user\AppData\Roaming\wVhpvdZWIB.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wVhpvdZWIB' /XML 'C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp'
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe TID: 6984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe TID: 6924Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe TID: 6932Thread sleep count: 740 > 30Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe TID: 6932Thread sleep count: 9113 > 30Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWindow / User API: threadDelayed 740Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWindow / User API: threadDelayed 9113Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.934998689.00000000065C0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: packing list commercial invoice and bl termplate draft for export.exeBinary or memory string: yNPVBitmapGetObjectget_ypVmCultureypVmDebuggerNonUserCodeAttributePoC
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wVhpvdZWIB' /XML 'C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeProcess created: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe {path}Jump to behavior
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.932745062.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.932745062.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.932745062.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.932745062.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: packing list commercial invoice and bl termplate draft for export.exe PID: 6588, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: Yara matchFile source: 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: packing list commercial invoice and bl termplate draft for export.exe PID: 6588, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: packing list commercial invoice and bl termplate draft for export.exe PID: 6588, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Masquerading1Credentials in Registry1Security Software Discovery111Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                packing list commercial invoice and bl termplate draft for export.exe45%VirustotalBrowse
                packing list commercial invoice and bl termplate draft for export.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\wVhpvdZWIB.exe100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                9.2.packing list commercial invoice and bl termplate draft for export.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cntte12z0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                http://www.fonts.comc0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://Q1q5wm8CcDOVVgnVHl2.net0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//t0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htmQ$0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/d0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/sv-s0%Avira URL Cloudsafe
                http://mail.italfood.ae0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/s_tr0%URL Reputationsafe
                http://www.itcfonts.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
                http://pUvlwI.com0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/X0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://italfood.ae0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnantE3&0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.founder.com.cn/cntte12zpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.670606758.0000000005E6E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://127.0.0.1:HTTP/1.1packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.apache.org/licenses/LICENSE-2.0packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.671838520.0000000005E78000.00000004.00000001.sdmpfalse
                  high
                  http://DynDns.comDynDNSpacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/Xpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fonts.comcpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.668944781.0000000005E7B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hapacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/Jpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.tiro.compacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.669186150.0000000005E7B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://Q1q5wm8CcDOVVgnVHl2.netpacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, packing list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933666233.0000000003562000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/Cpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673390206.0000000005E69000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/jp/packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp//tpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmQ$packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.675566665.0000000005E6A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/5packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/jp/dpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/sv-spacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://mail.italfood.aepacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933693229.000000000356A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/s_trpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673342532.0000000005E6C000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.itcfonts.packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.675185471.0000000005E6A000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fonts.compacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.668944781.0000000005E7B000.00000004.00000001.sdmpfalse
                    high
                    http://www.jiyu-kobo.co.jp/dpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673390206.0000000005E69000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://pUvlwI.compacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/jp/Xpacking list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.673626995.0000000005E6A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://italfood.aepacking list commercial invoice and bl termplate draft for export.exe, 00000009.00000002.933693229.000000000356A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.founder.com.cn/cnantE3&packing list commercial invoice and bl termplate draft for export.exe, 00000000.00000003.670606758.0000000005E6E000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown

                    Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:33.0.0 White Diamond
                    Analysis ID:483686
                    Start date:15.09.2021
                    Start time:11:35:17
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 12s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:packing list commercial invoice and bl termplate draft for export.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@6/3@0/0
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 1.7% (good quality ratio 0.2%)
                    • Quality average: 6.7%
                    • Quality standard deviation: 21.5%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 21
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:36:40API Interceptor642x Sleep call for process: packing list commercial invoice and bl termplate draft for export.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\packing list commercial invoice and bl termplate draft for export.exe.log
                    Process:C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1314
                    Entropy (8bit):5.350128552078965
                    Encrypted:false
                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                    C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp
                    Process:C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1643
                    Entropy (8bit):5.186254784704947
                    Encrypted:false
                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGMOtn:cbhK79lNQR/rydbz9I3YODOLNdq3/o
                    MD5:C28D1B999BA6E0FA6518407B0192D343
                    SHA1:B8909B2B932A913CD21574FE2FC4870E8C65DAEB
                    SHA-256:3B7690E16C7E6B1F7A1C421EF9291463E7107DA4A698AF75EA2C01329D77FF20
                    SHA-512:73C09E84B34F74803D4530DC59C00A30A7D37438252C7B5D7D2E1801ECCD0C8727334ADD8F7CDBD0D6200E9535163C82F155EE96AACE2F479ED08D6757F3BE92
                    Malicious:true
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                    C:\Users\user\AppData\Roaming\wVhpvdZWIB.exe
                    Process:C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):878080
                    Entropy (8bit):6.2019750608396755
                    Encrypted:false
                    SSDEEP:6144:6y87fViis7lBGZ1jwtbo9WgnORPsxXwptpMG3CTDkyiegmIqukTNgZ63tCv6pbK4:+twOnTitpBCTDzll5YgS6p55n0F
                    MD5:DDF2AE4B85EC6E277713BA1B5C844ED7
                    SHA1:B07236D7DCD264152BDB989840C2B78BDFD84764
                    SHA-256:34C8BE34215E94BD3FFAB958EA56583EF0E40ADCFA306609A2CB275E3E552D8F
                    SHA-512:D7E6E0C8AC12D4E135E756F31AED8FAD433F134534CBB9CD4668B204376BD8059D6D4E81BC98FB0487E4D1C1BDC093EB26548594EAA6FE440F4FF60220A0A511
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.Aa.................\..........nz... ........@.. ....................................@................................. z..K.................................................................................... ............... ..H............text...tZ... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B................Pz......H........^...............]...............................................0............(....(..........(.....o.....*.....................(.......(.......(.......(.......(.....*.N..(....o....(.....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~.........(....o .....,.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):6.2019750608396755
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:packing list commercial invoice and bl termplate draft for export.exe
                    File size:878080
                    MD5:ddf2ae4b85ec6e277713ba1b5c844ed7
                    SHA1:b07236d7dcd264152bdb989840c2b78bdfd84764
                    SHA256:34c8be34215e94bd3ffab958ea56583ef0e40adcfa306609a2cb275e3e552d8f
                    SHA512:d7e6e0c8ac12d4e135e756f31aed8fad433f134534cbb9cd4668b204376bd8059d6d4e81bc98fb0487e4d1c1bdc093eb26548594eaa6fe440f4ff60220a0a511
                    SSDEEP:6144:6y87fViis7lBGZ1jwtbo9WgnORPsxXwptpMG3CTDkyiegmIqukTNgZ63tCv6pbK4:+twOnTitpBCTDzll5YgS6p55n0F
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.Aa.................\..........nz... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x4d7a6e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x6141955C [Wed Sep 15 06:40:28 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xd7a200x4b.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x600.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xd5a740xd5c00False0.520642589547data6.20638181174IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0xd80000x6000x600False0.44140625data4.23967348971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xda0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0xd80900x370data
                    RT_MANIFEST0xd84100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright Hewlett-Packard 2011
                    Assembly Version1.0.0.0
                    InternalNameZYxe.exe
                    FileVersion1.0.0.0
                    CompanyNameHewlett-Packard
                    LegalTrademarks
                    Comments
                    ProductNameSuperStudyGuideXML
                    ProductVersion1.0.0.0
                    FileDescriptionSuperStudyGuideXML
                    OriginalFilenameZYxe.exe

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:11:36:14
                    Start date:15/09/2021
                    Path:C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe'
                    Imagebase:0x9f0000
                    File size:878080 bytes
                    MD5 hash:DDF2AE4B85EC6E277713BA1B5C844ED7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low

                    General

                    Start time:11:36:42
                    Start date:15/09/2021
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wVhpvdZWIB' /XML 'C:\Users\user\AppData\Local\Temp\tmpCAE9.tmp'
                    Imagebase:0x2d0000
                    File size:185856 bytes
                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:11:36:42
                    Start date:15/09/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff724c50000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:11:36:43
                    Start date:15/09/2021
                    Path:C:\Users\user\Desktop\packing list commercial invoice and bl termplate draft for export.exe
                    Wow64 process (32bit):true
                    Commandline:{path}
                    Imagebase:0xcc0000
                    File size:878080 bytes
                    MD5 hash:DDF2AE4B85EC6E277713BA1B5C844ED7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.931203784.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.933232285.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                    Reputation:low

                    Disassembly

                    Code Analysis

                    Reset < >

                      Executed Functions

                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8320a189cc28be9ebc830b4df254305e1559d83bc9486f45205cae1b9fd8cd54
                      • Instruction ID: 762e91171d60b0f334de86b3766e263fadca6dea6ff48d5bb382a4c4b7941ca9
                      • Opcode Fuzzy Hash: 8320a189cc28be9ebc830b4df254305e1559d83bc9486f45205cae1b9fd8cd54
                      • Instruction Fuzzy Hash: 4282F530B112468FDB25FB6CC894BAEBBF2AB85314F19846AE605DF2D1DB34DC418791
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 177a2dd0817ff4f661050ecf250b4b66600ecb082417174f77da21af5af39bbb
                      • Instruction ID: ba123d2e631642b29b0976c3cfa77e320e9131a88048d5e2fa4bb1595f197bc9
                      • Opcode Fuzzy Hash: 177a2dd0817ff4f661050ecf250b4b66600ecb082417174f77da21af5af39bbb
                      • Instruction Fuzzy Hash: 25C1D330F112158FEB24AB78C8557AEBAF6AF85304F158469C50A9B3D1DF74DC82CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 446eed1a5c1ea3dbb068d896661f0db104f06ce7e6830f954cb878ed117d6d97
                      • Instruction ID: 81c6d459ce4f6d0176dd37fb7a49491222f4da067585731a292d71e3e9de3c59
                      • Opcode Fuzzy Hash: 446eed1a5c1ea3dbb068d896661f0db104f06ce7e6830f954cb878ed117d6d97
                      • Instruction Fuzzy Hash: C2E1BEB18073419FD709EF69E8481883BB2BF8F314B544309D5615B6E9D7B920EACFA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 99875d12773b610851d1839e026cf96e706da1770919108cb1b420ad624b768f
                      • Instruction ID: ebea849cb70e3f4bc9826852508d6a8ad233695bbffca7a3799d31069e8caf3c
                      • Opcode Fuzzy Hash: 99875d12773b610851d1839e026cf96e706da1770919108cb1b420ad624b768f
                      • Instruction Fuzzy Hash: 1412B4B0403745ABD718EF69E9481853BB2BF4F318F504308DA611BAD9D7B911EACFA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a672443e6167b3f0d46d290bc7354fa72a469baad4a958b9e83cd0b01aa2f531
                      • Instruction ID: 2b29396e9f34edaaacaaad5f7a03031d2f5fc0b80684936702ba7a6390abeec7
                      • Opcode Fuzzy Hash: a672443e6167b3f0d46d290bc7354fa72a469baad4a958b9e83cd0b01aa2f531
                      • Instruction Fuzzy Hash: 87C11CB19037459BD718EF69E8481893BB2FF8E314F104308D6612B6D9D7B914EACFA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 016369A0
                      • GetCurrentThread.KERNEL32 ref: 016369DD
                      • GetCurrentProcess.KERNEL32 ref: 01636A1A
                      • GetCurrentThreadId.KERNEL32 ref: 01636A73
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID: l
                      • API String ID: 2063062207-2517025534
                      • Opcode ID: 40cb9fb19c2aaa6233de91f3de0b83ad46da3a8aab202a2e671c80f570cc631f
                      • Instruction ID: 11a367b4afe1d25c7c4f6c8685b3d302b101ead6d1316c97e1f5211832e7a9dc
                      • Opcode Fuzzy Hash: 40cb9fb19c2aaa6233de91f3de0b83ad46da3a8aab202a2e671c80f570cc631f
                      • Instruction Fuzzy Hash: D15178B09046459FDB14CFAADA88BDEBFF0EF88304F248559E459A7360C7746A44CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 016369A0
                      • GetCurrentThread.KERNEL32 ref: 016369DD
                      • GetCurrentProcess.KERNEL32 ref: 01636A1A
                      • GetCurrentThreadId.KERNEL32 ref: 01636A73
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: a117dffed939df94b90688919ce4eb0d315410f34db7d50efeda7c40814de567
                      • Instruction ID: da7d6e279a7c14a42e07add7c53013d9a5a3de3bc7aeeac21438afe694fe7c06
                      • Opcode Fuzzy Hash: a117dffed939df94b90688919ce4eb0d315410f34db7d50efeda7c40814de567
                      • Instruction Fuzzy Hash: 7D5145B09006499FDB14CFAADA48BDEBBF1FF88314F208459E519A7350DB746984CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 01287410
                      • UserClientDllInitialize.USER32 ref: 0128744E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: d63b6cbf4246018109156b2a5b4e4c8a8896ba6db5a09f822ce5052117816cd9
                      • Instruction ID: 90dd9c75e1859a70c8eeff184976959406aa587c7a9ad4cf6a7bc01c4f5b333d
                      • Opcode Fuzzy Hash: d63b6cbf4246018109156b2a5b4e4c8a8896ba6db5a09f822ce5052117816cd9
                      • Instruction Fuzzy Hash: 38F12770F211164BEF21AB6DC4807AEB7A6EB95310F344836EA09DB7D1DB35DC428792
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 012885B8
                      • UserClientDllInitialize.USER32 ref: 012885F6
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: 252e82a968d6efa60aefd44cb2613094c4c3334091d8f57a6805e652bf9c1c18
                      • Instruction ID: 0ae780ad69d2009627b73f941f82c82fbab901833732de29ec883226b6653cb1
                      • Opcode Fuzzy Hash: 252e82a968d6efa60aefd44cb2613094c4c3334091d8f57a6805e652bf9c1c18
                      • Instruction Fuzzy Hash: 2D21B231B102558FDB40EBBCD8489AE77F2FB88204B55846AD509D7395EF389D028B51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 01288210
                      • UserClientDllInitialize.USER32 ref: 0128824E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: bb53a5faf94cad3ecabad4c5c2c6e646e89789a0df67936160ef74f3d3177ee6
                      • Instruction ID: 094c2c1c51fe978c626b8c58f0244a434907f22db97a117d8208a17c0c9f43be
                      • Opcode Fuzzy Hash: bb53a5faf94cad3ecabad4c5c2c6e646e89789a0df67936160ef74f3d3177ee6
                      • Instruction Fuzzy Hash: DB21B330B102458FCB41EBBCD848AAEB7F6AB89314B548469D509EB395EE349C058BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 012880F0
                      • UserClientDllInitialize.USER32 ref: 0128812E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: d5fceb2ca2a9b5eb9fbaaa2c342982f7d026a5f486bfa2377c231b2262ca325d
                      • Instruction ID: 7d25ea30c1e8435f9da0db544bd5b21c24add49fa2b940af9df9725b6c651cdf
                      • Opcode Fuzzy Hash: d5fceb2ca2a9b5eb9fbaaa2c342982f7d026a5f486bfa2377c231b2262ca325d
                      • Instruction Fuzzy Hash: 2921C130F142168FCB50EBBCD848AAFB7F2AB88200B548465D509DB394EF349C068B95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016351A2
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: fd6ac22138f2016601098addf1d0ff650acc60c5bfa3eac10af99ed9043832d1
                      • Instruction ID: a7107bacd7dae4cba591b535d165e8963cb640e0c3b6230bc302e4b6e721a0af
                      • Opcode Fuzzy Hash: fd6ac22138f2016601098addf1d0ff650acc60c5bfa3eac10af99ed9043832d1
                      • Instruction Fuzzy Hash: 7951C2B1D102499FDF14CFA9C884ADEBBB1BF88314F64822AE819AB210D7749945CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016351A2
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: ea38747054a5353866d0e41efa0502750b9dfa4673d608341a18c28acd11cedd
                      • Instruction ID: 519c4410c5ee9d76e5179202bbf06ee7482f57fb1ff91a64c0386c14f64deeb7
                      • Opcode Fuzzy Hash: ea38747054a5353866d0e41efa0502750b9dfa4673d608341a18c28acd11cedd
                      • Instruction Fuzzy Hash: 5341A0B1D103499FDB14CF99C984ADEBBB5BF88314F64812AE819AB210D774A945CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 01637F01
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: 9c4a3d580a485bce486291fa030cd9556deeee72c320b5f3ac97328b3e259cdc
                      • Instruction ID: 1ff7998799a631d9671e7985c79e8c0f356dcca584f6a5e6a3d6e61eb2b3d40e
                      • Opcode Fuzzy Hash: 9c4a3d580a485bce486291fa030cd9556deeee72c320b5f3ac97328b3e259cdc
                      • Instruction Fuzzy Hash: ED4129B5A00309CFDB14CF99C888AAABBF5FF89314F158459E519AB321D774A941CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01636BEF
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: c434a3752a2cbd1de2350431c61ae528cab3f5af7aaeedeb8979e8e68892bc75
                      • Instruction ID: 618d4e5c87794218d0db0f6d16046c0fa258659ef63cebb54a498a47f89f8fe1
                      • Opcode Fuzzy Hash: c434a3752a2cbd1de2350431c61ae528cab3f5af7aaeedeb8979e8e68892bc75
                      • Instruction Fuzzy Hash: A921E4B5D002489FDB10CFA9D984AEEBFF4FB48324F15841AE915A7310D778AA54CF60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01636BEF
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: cb34b845523627779150b16d9c51fc9d09e53189a06b4fa977a6984728972728
                      • Instruction ID: a5225f67dddb1bf577fdaefa7ea14654528ca514ec086c6f3262f7637edbc635
                      • Opcode Fuzzy Hash: cb34b845523627779150b16d9c51fc9d09e53189a06b4fa977a6984728972728
                      • Instruction Fuzzy Hash: 6921D5B5D00248AFDB10CF99D984ADEBFF4FB48324F15841AE915A7310D774AA54CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 0163BEF2
                      Memory Dump Source
                      • Source File: 00000009.00000002.932550778.0000000001630000.00000040.00000001.sdmp, Offset: 01630000, based on PE: false
                      Similarity
                      • API ID: EncodePointer
                      • String ID:
                      • API String ID: 2118026453-0
                      • Opcode ID: 3e1aa55c5d44602e92e294716edc7f092526c5eb8f7ac0f736298754bc86911a
                      • Instruction ID: d855f8aec9cba85ff7b7e154b0b397c7d4d83984b4815309efc55e96bce52101
                      • Opcode Fuzzy Hash: 3e1aa55c5d44602e92e294716edc7f092526c5eb8f7ac0f736298754bc86911a
                      • Instruction Fuzzy Hash: 2D1179719003098FDB20DFA9C94879EBBF4FB48354F24842ED449A7741C7396549CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 0128812E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: 6d598e099652a4f95e2041ee434ade0e81c94e5f2e7739dcf478905080e94d55
                      • Instruction ID: 92fd87c961f326b5e861b9ea873bfb11401acfa7cc3d44d21614a24ada7272d0
                      • Opcode Fuzzy Hash: 6d598e099652a4f95e2041ee434ade0e81c94e5f2e7739dcf478905080e94d55
                      • Instruction Fuzzy Hash: D4E0ED35B201158F8F14EBBCD8584ADB3F1FFD8215B448065D90AD7354DE349C018BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 012885F6
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: 398ccc181d99ebf37bbc13e1eced407ecf007288243a99def76ac44b5cea90b4
                      • Instruction ID: 3a63f3d9db451a435b0eb5a32e3b8e93f742573bcf41373c67945a9eb19befe5
                      • Opcode Fuzzy Hash: 398ccc181d99ebf37bbc13e1eced407ecf007288243a99def76ac44b5cea90b4
                      • Instruction Fuzzy Hash: 8EE0ED36B201158B8F15EBBCD8584EDB3F2FB9C215B448065D50AD7754DE349C018B61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 0128744E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: f4bfba05e771ca99f88730cd6742c11363d0f2b0b03d6cd4ff6bd6e7a5c6640b
                      • Instruction ID: 87583bc9782e1ef18e83a678ed502123a238bf57b2c3f075d7d75aaf879c4811
                      • Opcode Fuzzy Hash: f4bfba05e771ca99f88730cd6742c11363d0f2b0b03d6cd4ff6bd6e7a5c6640b
                      • Instruction Fuzzy Hash: 89E0ED35B1011A8B8F15EBBCD4584AD73F1EBD82157548065D50AD7354DE749C028BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • UserClientDllInitialize.USER32 ref: 0128824E
                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID: ClientInitializeUser
                      • String ID:
                      • API String ID: 4216687631-0
                      • Opcode ID: d2c4ae009ceac239e43815b4a07bea00f86f0e3dc083c24fc40f10fd3ea04245
                      • Instruction ID: eca4deeaef5045e38039f2413d80049204ad9f7980af68ec4c83a2074586d0b8
                      • Opcode Fuzzy Hash: d2c4ae009ceac239e43815b4a07bea00f86f0e3dc083c24fc40f10fd3ea04245
                      • Instruction Fuzzy Hash: 45E0ED35B101158B8F55EBBCD8584ADB3F2FBDC2157448065D90AE7354DE349C018BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 347ad3d44f7d7aa0b1a041e9eab9442a2a56d91d47729646c541cf2bf83c0876
                      • Instruction ID: a5816f1980bf46802cf13da02eb0bb3dab3ff020ce72a9ed41e15022740c991e
                      • Opcode Fuzzy Hash: 347ad3d44f7d7aa0b1a041e9eab9442a2a56d91d47729646c541cf2bf83c0876
                      • Instruction Fuzzy Hash: D0728E34A002158FCB24EB78D8987ADBBF6FF84304F1585A9E509DB785DF34AC828B55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e7fbd22a2df082295883388d6d8da6ee8232da2cfad51f2df04f5cc1b1dc0ae7
                      • Instruction ID: d3096a3e706dd848cf64ec5a004ba1c06aa0b30130f399b9ff5f9ca4b0ef93a4
                      • Opcode Fuzzy Hash: e7fbd22a2df082295883388d6d8da6ee8232da2cfad51f2df04f5cc1b1dc0ae7
                      • Instruction Fuzzy Hash: D9422230B112058FDB04EBB8D8586AEBBB6EF85314F25846AD605DB7D2DB30EC05C792
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000009.00000002.931657767.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 09e6532c8cb9ed361594d50987224305276d265428790ea80e3861148e3c65e6
                      • Instruction ID: 3835973f513b3a1ef0d8de0eb236313063cd3bb0aeb4274d1591704815912911
                      • Opcode Fuzzy Hash: 09e6532c8cb9ed361594d50987224305276d265428790ea80e3861148e3c65e6
                      • Instruction Fuzzy Hash: D842AB30B002058FDB24EB78D9547AEBBF2AF88304F1584AAD509DB791EF34DC868B51
                      Uniqueness

                      Uniqueness Score: -1.00%